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Abstract 

Trace  properties,  which  have  long  been  used  for  reasoning  about  systems,  are 
sets  of  execution  traces.  Hyperproperties,  introduced  here,  are  sets  of  trace  prop¬ 
erties.  Hyperproperties  can  express  security  policies,  such  as  secure  information 
flow  and  service  level  agreements,  that  trace  properties  cannot.  Safety  and  liveness 
are  generalized  to  hyperproperties,  and  every  hyperproperty  is  shown  to  be  the  in¬ 
tersection  of  a  safety  hyperproperty  and  a  liveness  hyperproperty.  A  verification 
technique  for  safety  hyperproperties  is  given  and  is  shown  to  generalize  prior  tech¬ 
niques  for  verifying  secure  information  flow.  Refinement  is  shown  to  be  applicable 
with  safety  hyperproperties.  A  topological  characterization  of  hyperproperties  is 
given. 


1  Introduction 

Important  security  policies  cannot  be  expressed  as  properties  of  individual  execution 
traces  of  a  system  [2,22,42,52,60,62,64].  For  example,  noninterference  [23]  is  a  con¬ 
fidentiality  policy  that  stipulates  commands  executed  on  behalf  of  users  holding  high 
clearances  have  no  effect  on  system  behavior  observed  by  users  holding  low  clearances. 
It  is  not  a  property  of  individual  traces,  because  whether  a  trace  is  allowed  by  the  policy 
depends  on  whether  another  trace  (obtained  by  deleting  command  executions  by  high 
users)  is  also  allowed.  For  another  example,  stipulating  a  bound  on  mean  response  time 
over  all  executions  is  an  availability  policy  that  cannot  be  specified  as  a  property  of  in¬ 
dividual  traces,  because  the  acceptability  of  delays  in  a  trace  depends  on  the  magnitude 
of  delays  in  all  other  traces.  However,  both  example  policies  are  properties  of  systems, 
because  a  system  (viewed  as  a  whole,  not  as  individual  executions)  either  does  or  does 
not  satisfy  each  policy. 
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A  property  either  holds  or  does  not  hold  (i.e.,  is  a  Boolean  function)  of  an  object, 
and  the  extension  of  a  property  is  the  set  of  objects  for  which  the  property  holds.  The 
extension  of  a  property  of  individual  traces — that  is,  a  set  of  traces — sometimes  is 
termed  “property,”  too  [4,  35].  But  for  clarity,  trace  property  here  denotes  a  set  of 
traces. 

The  theory  of  trace  properties  is  well  understood  [36,37,54].  Every  trace  property 
is  the  intersection  of  a  safety  property  and  a  liveness  property,  where 

•  a  safety  property  is  a  trace  property  that  proscribes  “bad  things”  and  can  be 
proved  using  an  invariance  argument,  and 

•  a  liveness  property  is  a  trace  property  that  prescribes  “good  things”  and  can  be 
proved  using  a  well-foundedness  argument. 1 

This  classification  forms  an  intuitively  appealing  basis  from  which  all  trace  properties 
can  be  constructed.  Moreover,  safety  and  liveness  properties  are  affiliated  with  specific 
verification  methods. 

An  analogous  theory  for  security  policies  would  be  appealing.  The  fact  that  security 
policies,  like  trace  properties,  proscribe  and  prescribe  behaviors  of  systems  suggested 
that  such  a  theory  might  exist.  This  paper  develops  that  theory  by  formalizing  security 
policies  as  properties  of  systems,  or  system  properties ?  If  systems  are  modeled  as  sets 
of  execution  traces  [35],  then  the  extension  of  a  system  property  is  a  set  of  sets  of  traces 
or,  equivalently,  a  set  of  trace  properties.  We  name  this  type  of  set  a  hyperproperty. 

Every  property  of  system  behavior  (for  systems  modeled  as  trace  sets)  can  be  spec¬ 
ified  as  a  hyperproperty,  by  definition.  Thus,  hyperproperties  can  describe  trace  prop¬ 
erties  and  moreover  can  describe  security  policies,  such  as  noninterference  and  mean 
response  time,  that  trace  properties  cannot.  Deterministic,  nondeterministic,  proba¬ 
bilistic,  and  transition-system  models  all  can  be  encoded  as  trace  sets  and  handled 
using  hyperproperties. 

This  paper  shows  that  results  similar  to  those  from  the  theory  of  trace  properties 
hold  for  hyperproperties: 

•  Every  hyperproperty  is  the  intersection  of  a  safety  hyperproperty  and  a  liveness 
hyperproperty.  (Henceforth,  we  shorten  these  terms  to  hypersafety  and  hyper¬ 
liveness.)  Hypersafety  and  hyperliveness  thus  form  a  basis  from  which  all  hy¬ 
perproperties  can  be  constructed. 

•  Hyperproperties  from  a  class  that  we  introduce,  called  k-safety,  can  be  verified 
by  using  invariance  arguments.  Our  verification  methodology  generalizes  prior 
work  on  using  invariance  arguments  to  verify  information-flow  policies  [8,60]. 

However,  we  have  not  obtained  complete  verification  methods  for  hypersafety  or  for 
hyperliveness. 

1  Lamport  [33]  gave  the  first  informal  definitions  of  safety  and  liveness  properties,  appropriating  the 
names  from  Petri  net  theory,  and  he  also  gave  the  first  formal  definition  of  safety  [35].  Alpem  and  Schnei¬ 
der  [4]  gave  the  first  formal  definition  of  liveness  and  the  proof  that  all  trace  properties  are  the  intersection 
of  safety  and  liveness  properties;  they  later  established  the  correspondence  of  safety  to  invariance  and  of 
liveness  to  well-foundedness  [5]. 

-McLean  [42]  gave  the  first  formalization  of  security  policies  as  properties  of  trace  sets. 
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The  theory  of  hyperproperties  also  sheds  light  on  the  problematic  status  of  refine¬ 
ment  for  security  policies.  Refinement  never  invalidates  a  trace  property  but  can  inval¬ 
idate  a  hyperproperty: 

Consider  a  system  n  that  nondeterministically  chooses  to  output  0,  1,  or 
the  value  of  a  secret  bit  h.  System  n  satisfies  the  security  policy  “The 
possible  output  values  are  independent  of  the  values  of  secrets.”  But  one 
refinement  of  tt  is  the  system  that  always  outputs  h,  and  this  system  does 
not  satisfy  the  security  policy. 

We  characterize  in  this  paper  the  entire  set  of  hyperproperties  for  which  refinement  is 
valid;  this  set  includes  the  safety  hyperproperties. 

Safety  and  liveness  not  only  form  a  basis  for  trace  properties  and  hyperproper¬ 
ties,  but  they  also  have  a  surprisingly  deep  mathematical  characterization  in  terms  of 
topology.  In  the  Plotkin  topology  on  trace  properties,  safety  and  liveness  are  known  to 
correspond  to  closed  and  dense  sets,  respectively  [4].  We  generalize  this  topological 
characterization  to  hyperproperties  by  showing  that  hypersafety  and  hyperliveness  also 
correspond  to  closed  and  dense  sets  in  a  new  topology,  which  turns  out  to  be  equivalent 
to  the  lower  Vietoris  construction  applied  to  the  Plotkin  topology  [57].  This  correspon¬ 
dence  could  be  used  to  bring  results  from  topology  to  bear  on  hyperproperties. 

We  proceed  as  follows.  Hyperproperties,  hypersafety,  /.'-safety,  and  hyperliveness 
are  defined  and  explored  in  sections  2,  3,  4,  and  5,  respectively.  Section  6  gives  a  topo¬ 
logical  account  of  hyperproperties.  Section  7  presents  the  hyperproperty  intersection 
theorem  and  discusses  hyperproperties  of  system  representations  other  than  trace  sets 
(relational  systems,  labeled  transition  systems,  state  machines,  and  probabilistic  sys¬ 
tems).  Section  8  concludes.  Appendix  A  gives  a  guide  to  our  notation,  appendix  B 
presents  formal  details  of  our  longer  examples  of  hyperproperties,  appendix  C  states 
formal  results  about  system  representations,  and  all  proofs  appear  in  appendix  D. 

This  paper  revises  and  expands  a  CSF’08  paper  [15],  adding  (i)  new  results  about 
system  representations,  and  (ii)  proofs,  which  were  absent  from  the  earlier  paper.  Sev¬ 
eral  of  the  proofs  have  been  verified  [12]  using  the  Isabelle/HOL  proof  assistant  [46], 

2  Hyperproperties 

We  model  system  execution  with  traces,  where  a  trace  is  a  sequence  of  states;  by 
employing  rich  enough  notions  of  state,  this  model  can  encode  other  representations  of 
execution.3  For  example,  section  7  discusses  how  to  model  a  labeled  transition  system 
as  a  set  of  traces  by  including  transition  labels  in  states,  thereby  preserving  information 
about  the  nondeterministic  branching  structure  of  the  system.  Section  7  also  uses  this 
encoding  to  model  state  machines  and  probabilistic  systems. 

The  structure  of  a  state  is  not  important  in  the  following  definitions,  so  we  leave  set 
S  of  states  abstract.  However,  the  structure  of  a  state  is  important  for  real  examples, 
and  we  introduce  predicates  and  functions,  on  states  and  on  traces,  as  needed  to  model 
events,  timing,  probability,  etc. 

3We  have  not  investigated  analogues  to  hyperproperties  for  representations  of  system  execution  that  can¬ 
not  be  encoded  as  trace  sets. 
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Traces  may  be  finite  or  infinite  sequences,  which  we  categorize  into  sets: 


ttfin  =  E*. 

*irrf  =  E", 

T  =  ^'finUT'inf, 

where  S*  denotes  the  set  of  all  finite  sequences  over  E,  and  E“  denotes  the  set  of 
all  infinite  sequences  over  E.  For  trace  t  =  so^i . . .  and  index  i  G  N,  we  define  the 
following  indexing  notation: 


t[i\ 

A_ 

Si  5 

t[..i\ 

A_ 

SoSi  .  .  .  5^, 

A_ 

•  •  • 

We  denote  concatenation  of  finite  trace  t  and  (finite  or  infinite)  trace  t'  as  tt',  and  we 
denote  the  empty  trace  as  e. 

A  system  is  modeled  by  a  non-empty  set  of  infinite  traces,  called  its  executions.  If 
an  execution  terminates  (and  thus  could  be  represented  by  a  finite  trace),  we  represent 
it  as  an  infinite  trace  by  infinitely  stuttering  the  final  state  in  the  finite  trace. 

2.1  Trace  Properties 

A  trace  property  is  a  set  of  infinite  traces  [4, 35].  The  set  of  all  trace  properties  is 

Prop  4  p(tfinf), 

where  V  denotes  powerset.  A  set  T  of  traces  satisfies  a  trace  property  P ,  denoted 
T  |=  P,  iff  all  the  traces  of  T  are  in  P: 

T\=P  =  TCP. 

Some  security  policies  are  expressible  as  trace  properties.  For  example,  consider 
the  policy  “The  system  may  not  write  to  the  network  after  reading  from  a  file.”  For¬ 
mally,  this  is  the  set  of  traces 

NRW  =  {t  €  4'inf  |  -i(3  i,j  €  N  :  i  <  j  A  isFileRead(t[i}) 

A  isNetworkWrite{t[j]))} ,  (2.1) 

where  isFileRead  and  isNetworkWrite  are  state  predicates. 

Similarly,  access  control  is  a  trace  property  requiring  every  operation  to  be  consis¬ 
tent  with  its  requestor’s  rights: 

AC  =  {t  €  Tjnf  |  (Vi  £  N  :  rightsReq(t[i ]) 

C  acm{t[i  -  l])[subj(t[i\),  obj (t[i})})} .  (2.2) 

Function  acm(s)  yields  the  access  control  matrix  in  state  s.  Function  subj(s)  yields 
the  subject  who  requested  the  operation  that  led  to  state  s,  function  obj(s)  yields  the 
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object  involved  in  that  operation,  and  function  rightsReq(s)  yields  the  rights  required 
for  the  operation  to  be  allowed. 

As  another  example,  guaranteed  service  is  a  trace  property  requiring  that  every 
request  for  service  is  eventually  satisfied: 

GS  =  {te  '3/ jnf  |  (Vi  G  N  :  isReq(t[i\) 

=>  (3j>i:  isRespToReq(t\j\,t[i])))}.  (2.3) 

Predicate  isReq(s)  identifies  whether  a  request  is  initiated  in  state  s,  and  predicate 
isRespToReq(s' ,  s)  identifies  whether  state  s'  completes  the  response  to  the  request 
initiated  in  state  s. 

2.2  Hyperproperties 

A  hyperproperty  is  a  set  of  sets  of  infinite  traces,  or  equivalently  a  set  of  trace  proper¬ 
ties.  The  set  of  all  hyperproperties  is 

HP  4  p(p(tfinf)) 

=  P(Prop). 

The  interpretation  of  a  hyperproperty  as  a  security  policy  is  that  the  hyperproperty  is 
the  set  of  systems  allowed  by  that  policy.4  Each  trace  property  in  a  hyperproperty  is  an 
allowed  system,  specifying  exactly  which  executions  must  be  possible  for  that  system. 
Thus  a  set  T  of  traces  satisfies  hyperproperty  H ,  denoted  T  \=  H,  iff  T  is  in  H: 

T\=H  =  T  efl. 

Note  the  use  of  bold  face  to  denote  hyperproperties  (e.g.,  H)  and  sans  serif  to 
denote  sets  of  trace  properties  (e.g..  Prop).  Although  a  hyperproperty  and  a  set  of  trace 
properties  are  mathematically  the  same  kind  of  object  (a  set  of  sets  of  traces),  they  are 
used  differently  in  formulas,  hence  the  different  typography.  Sets  of  hyperproperties 
are  simultaneously  bold  face  and  sans  serif  (e.g.,  HP).  See  Appendix  A  for  a  guide  to 
other  typographical  conventions  and  notation. 

Given  a  trace  property  P,  there  is  a  unique  hyperproperty  denoted  [P]  that  ex¬ 
presses  the  same  policy  as  P.  We  call  this  hyperproperty  the  lift  of  P.  For  P  and  [P] 
to  express  the  same  policy,  they  must  be  satisfied  by  the  same  sets  of  traces.  Thus  we 
can  derive  a  definition  of  [P]: 

(VT  €  Prop  :  T  |=  P  T  |=  [P]) 

=  (VPG  Prop:  TCP  T  G  [P]) 

=  [P]  ={TG  Prop  \  T  CP} 

=  [P]=P(P). 

Consequently,  the  lift  of  P  is  the  powerset  of  P: 

[P]  =  P(P). 

4The  hyperproperty  might  also  contain  the  empty  set  of  traces,  although  this  set  does  not  correspond  to  a 
system. 
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2.3  Hyperproperties  in  Action 

Trace  properties  are  satisfied  by  traces,  whereas  hyperproperties  are  satisfied  by  sets  of 
traces.  This  additional  level  of  sets  means  that  hyperproperties  can  be  more  expressive 
than  trace  properties.  We  explore  this  added  expressivity  with  some  examples. 

Secure  information  flow.  Information-flow  security  policies  express  restrictions  on 
what  information  may  be  learned  by  users  of  a  system.  Users  interact  with  systems 
by  providing  inputs  and  observing  outputs.  To  model  this  interaction,  define  ev(s) 
as  the  input  or  output  event,  if  any,  that  occurs  when  a  system  transitions  to  state  s. 
Assume  that  at  most  one  event,  input  or  output,  can  occur  at  each  transition.  For  a 
trace  t,  extend  this  notation  to  ev(t),  denoting  the  sequence  of  events  resulting  from 
application  of  ev(-)  to  each  state  in  trace  t.5  Further  assume  that  each  user  of  a  system 
is  cleared  either  at  confidentiality  level  L ,  representing  low  (public)  information,  or  H, 
representing  high  (secret)  information,  and  that  each  event  is  labeled  with  one  of  these 
confidentiality  levels.  Define  ev l  (i )  to  be  the  subsequence  of  low  input  and  output 
events  contained  within  ev(t),  and  evmnit)  to  be  the  subsequence  of  high  input  events 
contained  within  ev  (t) . 

Noninterference,  as  defined  by  Goguen  and  Meseguer  [23],  requires  that  commands 
issued  by  users  holding  high  clearances  be  removable  without  affecting  observations 
of  users  holding  low  clearances.  Treating  commands  as  inputs  and  observations  as 
outputs,  we  model  this  security  policy  as  a  hyperproperty  requiring  a  system  to  contain, 
for  any  trace  t,  a  corresponding  trace  t'  with  no  high  inputs  yet  with  the  same  low  events 
as  t: 

GMNI  =  {T  G  Prop  |  T  €  SM 

A  (Vi  £  T  :  (3 f  £T  :  evHm(t')  =  e 

A  evL(t )  =  evL{t’)))}.  (2.4) 

Conjunct  T  £  SM  expresses  the  requirement,  made  by  Goguen  and  Meseguer’s  for¬ 
malization,  that  systems  are  deterministic  state  machines;  section  7.2.3  defines  SM 
formally.  GMNI  is  not  a  trace  property,  as  argued  in  section  1,  because  trace  f  is 
allowed  only  if  corresponding  trace  t'  is  also  allowed. 

Generalized  noninterference  [40]  extends  Goguen  and  Meseguer’s  definition  of 
noninterference  to  handle  nondeterministic  systems,  which  are  the  systems  modeled 
by  Prop.  McLean  [42]  reformulates  generalized  noninterference  as  a  policy  requiring 
a  system  to  contain,  for  any  traces  t-\  and  t2,  an  interleaved  trace  t3  whose  high  inputs 
are  the  same  as  t\  and  whose  low  events  are  the  same  as  t2.  This  is  a  hyperproperty: 

GNI  =  {Te  Prop  I  (Vii,i2  €  T  :  (3f3  e  T  : 

evmnite)  =  evHin(h )  A  evL(t3)  =  evL(t2)))}-  (2.5) 

GNI  is  not  a  trace  property  because  the  presence  of  any  two  traces  t  \  and  t2  in  a  system 
necessitates  the  presence  of  a  third  trace  f3. 

3  Depending  on  the  nature  of  events  in  the  particular  system  that  is  being  modeled,  it  might  be  appropriate 
for  ev{t)  to  eliminate  stuttering  of  events. 
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Observational  determinism  [41,51]  requires  a  system  to  appear  deterministic  to  a 
low  user.  Zdancewic  and  Myers’s  [65]  definition  of  observational  determinism  can  be 
formulated  as  a  hyperproperty: 

OD  4  {T  G  Prop  |  (Vf,  f'  €  T  :  f[0]  =L  f'[0]  =►  t^Lt')}.  (2.6) 

State  equivalence  relation  s  =l  s'  holds  whenever  states  s  and  s'  are  indistinguishable 
to  a  low  user,  and  trace  equivalence  relation  t  « /,  t'  holds  whenever  traces  t  and  t'  are 
indistinguishable  to  a  low  user.  Zdancewic  and  Myers  define  trace  equivalence  in  terms 
of  state  equivalence,  requiring  the  sequence  of  states  in  each  trace  to  be  equivalent  up  to 
both  stuttering  and  prefix;  equivalence  up  to  prefix  makes  their  definition  termination 
insensitive — that  is,  systems  are  allowed  to  leak  information  via  termination  channels.6 
OD  is  not  a  trace  property  because  whether  some  trace  is  allowed  in  a  system  depends 
on  all  the  other  traces  of  the  system. 

Bisimulation-based  definitions  of  information-flow  security  policies  can  also  be 
formulated  as  hyperproperties,7  which  we  demonstrate  with  Focardi  and  Gorrieri’s  [22] 
bisimulation  nondeducibility  on  compositions  (BNDC)  in  section  7.2.2,  and  with  Bou- 
dol  and  Castellani’s  [11]  definition  of  noninterference  in  appendix  B. 

All  information-flow  security  policies  we  investigated  turned  out  to  be  hyperprop¬ 
erties,  not  trace  properties.  This  is  suggestive,  but  any  stronger  statement  about  the 
connection  between  information  flow  and  hyperproperties  would  require  a  formal  defi¬ 
nition  of  information-flow  policies,  and  none  is  universally  accepted.  Nonetheless,  we 
believe  that  information  flow  is  intrinsically  tied  to  correlations  between  (not  within) 
executions.  And  hyperproperties  are  sufficiently  expressive  to  formulate  such  correla¬ 
tions,  whereas  trace  properties  are  not. 

Service  level  agreements.  A  service  level  agreement  (SLA)  specifies  acceptable  per¬ 
formance  of  a  system.  Such  specifications  commonly  use  statistics  such  as 

•  mean  response  time ,  the  mean  time  that  elapses  between  a  request  and  a  re¬ 
sponse; 

•  time  service  factor,  the  percentage  of  requests  that  are  serviced  within  a  specified 
time;  and 

•  percentage  uptime,  the  percentage  of  time  during  which  the  system  is  available 
to  accept  and  service  requests. 

These  statistics  can  be  used  to  define  policies  with  respect  to  individual  executions 
of  a  system  or  across  all  executions  of  a  system.  In  the  former  case,  the  SLA  would  be 
a  trace  property.  For  example,  the  policy  “The  mean  response  time  in  each  execution 

6Zdancewic  and  Myers  also  require  systems  to  be  race  free,  hence  they  weaken  trace  equivalence  to  hold 
for  each  memory  location  in  a  state  in  isolation,  not  over  all  memory  locations  simultaneously.  We  omit  this 
requirement  for  simplicity. 

7  Since  hyperproperties  are  trace-based,  this  might  at  first  seem  to  contradict  results,  such  as  Focardi  and 
Gorrieri's  [22],  stating  that  bisimulation-based  definitions  are  more  expressive  than  trace-based  definitions. 
However,  by  employing  a  richer  notion  of  state  [54,  §  1 .3]  in  traces  than  Focardi  and  Gorrieri,  hyperproperties 
are  able  to  express  bisimulations. 
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is  less  than  1  second”  might  not  be  satisfied  by  a  system  if  there  are  executions  in 
which  some  response  times  are  much  greater  than  1  second.  Yet  if  these  executions 
are  rare,  then  the  system  might  still  satisfy  the  policy  “The  mean  response  time  over 
all  executions  is  less  than  1  second.”  This  latter  SLA  is  not  a  trace  property,  but  it  is  a 
hyperproperty: 

RT  4  {T  G  Prop  |  mean  (  [J  respTimes(t)  J  <  1}.  (2.7) 

VieT  J 

Function  mean(X)  denotes  the  mean8  of  a  set  X  of  real  numbers,  and  respTimes(t) 
denotes  the  set  of  response  times  (in  seconds)  from  request/response  events  in  trace 
t.  Policies  derived  from  the  other  SLA  statistics  above  can  similarly  be  expressed  as 
hyperproperties. 

2.4  Beyond  Hyperproperties? 

Hyperproperties  are  able  to  express  security  policies  that  trace  properties  cannot.  So 
it  is  natural  to  ask  whether  there  are  security  policies  that  hyperproperties  cannot  ex¬ 
press.  In  section  1,  we  equated  security  policies  with  system  properties,  and  we  chose 
to  model  systems  as  trace  sets.  Every  property  of  trace  sets  is  a  hyperproperty,  so  by 
definition  hyperproperties  are  expressively  complete  for  our  formulations  of  “system” 
and  “security  policy.”  To  find  security  policies  that  hyperproperties  cannot  express 
(if  any  exist),  we  would  need  to  examine  alternative  notions  of  systems  and  security 
policies.  Section  7  discusses  alternative  formulations  of  systems,  but  all  the  formula¬ 
tions  considered  there  turn  out  to  have  encodings  as  trace  sets — thus  hyperproperties 
are  complete  for  those  formulations.  We  do  not  know  whether  other  formulations  exist 
that  do  not  have  such  encodings. 

One  way  to  generalize  the  notion  of  a  security  policy  is  to  consider  policies  on  sets 
of  systems — for  example,  diversity  [50],  which  requires  the  systems  all  to  implement 
the  same  functionality  but  to  differ  in  their  implementation  details.  Any  such  policy, 
however,  could  be  modeled  as  a  hyperproperty  on  a  single  system  that  is  a  product9  of 
all  the  systems  in  the  set.  So  hyperproperties  again  seem  to  be  sufficient. 

2.5  Logic  and  Hyperproperties 

We  have  not  given  a  logic  in  which  hyperproperties  may  be  expressed.  The  examples 
in  this  paper  require  only  second-order  logic.  Although  higher-order  logic  might  also 
be  useful  to  express  hyperproperties,  higher-order  logic  is  reducible  to  second-order 
logic  [56,  §6.2],  So  we  believe  that  second-order  logic  is  sufficient  to  express  all  hy¬ 
perproperties.  But  we  do  not  know  whether  the  full  power  of  second-order  logic  is 

8Since  X  might  have  infinite  cardinality,  RT  requires  a  definition  of  the  mean  of  an  infinite  set  (and,  for 
some  sets,  this  mean  does  not  exist).  We  omit  formalizing  such  a  definition  here;  one  possibility  is  to  use  the 
Cesaro  mean  [27]. 

9The  product  of  systems  T\  and  T2  can  be  defined  as  system  {(ti[0],  ^2  [0] )  (t  1  [1],  fi[2]) . . .  |  t\  G 
T\  A  £2  £  T^},  comprising  traces  over  pairs  of  states.  Generalizing,  the  product  of  a  set  of  n  systems 
comprises  traces  over  n-tuples  of  states. 


necessary  to  express  hyperproperties  of  interest.  This  has  ramifications  for  verification 
of  hyperproperties,  because  although  full  second-order  logic  cannot  be  effectively  and 
completely  axiomatized,  fragments  of  it  can  be  [9,  §2. 3], 10 

2.6  Refinement  and  Hyperproperties 

Programmers  use  stepwise  refinement  [1,7,  18,20,36,63]  to  develop,  in  a  series  of 
steps,  a  program  that  implements  a  specification.  The  programmer  starts  from  the 
specification.  Each  successive  step  creates  a  more  concrete  specification,  ultimately 
culminating  in  a  specification  sufficiently  concrete  that  a  computer  can  execute  it.  To 
prove  that  the  final  concrete  specification  correctly  implements  the  original  specifica¬ 
tion,  the  programmer  argues  at  each  step  that  the  new  concrete  specification  refines  the 
previous  specification.  Specification  Si  refines  specification  S2,  denoted  Si  REF  S2, 
iff  every  behavior  permitted  by  Si  is  also  permitted  by  S2 — that  is,  the  set  of  behaviors 
of  Si  is  a  subset  of  the  set  of  behaviors  of  S2. 

Specifications  might  describe  behaviors  at  different  levels  of  abstraction.  For  ex¬ 
ample,  a  specification  might  describe  behaviors  of  a  queue,  but  a  refinement  of  that 
specification  might  use  an  array  to  implement  this  behavior.  Or  a  specification  might 
describe  behaviors  using  critical  sections,  but  a  refinement  might  implement  critical 
sections  with  semaphores.  So  programmers  need  techniques  to  relate  the  behaviors  de¬ 
scribed  by  specifications.  Abstraction  functions  [28,29]  and  refinement  mappings  [1] 
have  been  developed  for  this  purpose;  both  interpret  concrete  behaviors  as  abstract 
behaviors. 

Generalizing  from  these  two  techniques,  let  an  interpretation  function  be  a  func¬ 
tion  of  type  T*  — *■  \P.  Let  IF  be  any  class  of  interpretation  functions  that  (like  abstrac¬ 
tion  functions  and  refinement  mappings)  is  closed  under  composition  and  contains  the 
identity  function  id.u  An  interpretation  function  a  can  be  lifted  to  Prop  — >  Prop  by 
applying  a  to  each  trace  in  a  set: 

a(T)  4  {a(t)  |  t  €  Tj. 

System  S  a-satisfies  trace  property  P,  denoted  S  |=Q  P,  iff  a(S)  |=  P.  Notation 
S  1=  P,  as  we  have  used  it  so  far,  thus  means  that  S  \=id  P. 

Trace  property  p  refines  P2  under  interpretation  a,  denoted  Pi  REFa  P2,  iff 
af/’i )  C  P2.  So  for  trace  properties,  satisfaction  is  the  same  relation  as  refinement, 
and  subset  implies  refinement — that  is,  if  C  is  a  subset  of  A,  then  C  refines  A  (under 
interpretation  id).  This  implication  is  desirable,  because  it  permits  refinements  that 
resolve  non-determinism  by  removing  traces  from  a  system.  But  it  is  well  known  that 

10It  is  natural  to  ask  whether  we  could  further  reduce  second-order  logic  to  first-order.  Such  a  reduction  is 
possible,  but  only  with  the  Henkin,  rather  than  standard,  semantics  of  second-order  logic  [9,  §4.2].  We  do  not 
know  which  of  these  semantics  should  be  preferred  for  hyperproperties.  However,  there  are  trace  properties, 
and  thus  hyperproperties,  that  we  conjecture  cannot  be  expressed  in  first-order  logic — for  example,  the  trace 
property  containing  the  single  trace  pqppqqpppqqq . . .,  where  p  and  q  are  states.  This  suggests  that  the 
standard  semantics  is  appropriate. 

1 1  Abstraction  functions  must  also  preserve  data  type  operations,  and  refinement  mappings  must  preserve 
externally  visible  components  up  to  stuttering.  But  these  restrictions  are  not  relevant  to  our  discussion. 
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this  kind  of  refinement  does  not  generally  work  for  security  policies.12  For  example, 
recall  system  n  (section  1),  which  nondeterministically  chooses  to  output  0,  1,  or  the 
value  of  a  secret  bit  h.  System  n  satisfies  the  specification  “The  possible  output  values 
are  independent  of  the  values  of  secrets,”  which  can  be  formulated  as  a  hyperproperty. 
But  consider  a  system  7 r'  that  always  outputs  h.  System  it'  does  not  satisfy  the  specifi¬ 
cation  and  therefore  cannot  refine  n,  yet  7 r'  C  7 r.  So  subset  does  not  imply  refinement 
for  hyperproperties  as  it  does  for  trace  properties. 

Hyperproperty  77/  refines  Ih  under  interpretation  a,  denoted  Hi  IIRHIy,  H2 ,  iff 
a  (Hi)  C  H2,  where  a(H)  is  defined  as  {ct(T)  \  T  G  77} .  A  natural  relationship  that 
we  would  expect  to  hold  is 

(VS  G  Prop, 77  G  HP  :  S  \=  77  [5]  HREF,/  77),  (2.8) 

because  satisfaction  and  refinement  intuitively  should  agree  (as  they  did  for  trace  prop¬ 
erties).  Straightforward  application  of  definitions  shows  that  (2.8)  holds  iff  77  is  subset 
closed. 

Thus,  perhaps  unsurprisingly,  the  set  of  hyperproperties  with  which  refinement 
works  is  the  set  SSC  of  subset-closed  hyperproperties: 

SSC  =  {77  G  HP  I  (VTG  Prop  :  T  G  77 

=4-  (VT'  G  Prop  :T'CT  =>  T'  G  77))}. 

The  lifted  trace  properties  are,  of  course,  members  of  SSC.  But  SSC  contains  more 
than  just  the  lifted  trace  properties.  For  example,  observational  determinism  OD  (2.6) 
is  subset  closed  and  therefore  a  member  of  SSC,  but  OD  is  not  a  lifted  trace  property. 

3  Hypersafety 

According  to  Alpern  and  Schneider  [4],  the  “bad  thing”  in  a  safety  property  must  be 
both 

•  finitely  observable,  meaning  its  occurrence  can  be  detected  in  finite  time,  and 

•  irremediable,  so  its  occurrence  can  never  be  remediated  by  future  events. 

No-read-then-write  NRW  (2.1)  and  access  control  AC  (2.2)  are  both  safety.  The  bad 
thing  for  NRW  is  a  finite  trace  in  which  a  network  write  occurs  after  a  file  read.  This 
bad  thing  is  finitely  observable,  because  the  write  can  be  detected  in  some  finite  prefix 
of  the  trace,  and  irremediable,  because  the  network  write  can  never  be  undone.  For 
AC,  the  bad  thing  is  similarly  a  finite  trace  in  which  an  operation  is  performed  without 
appropriate  rights. 

For  trace  properties,  a  bad  thing  is  a  finite  trace  that  cannot  be  a  prefix  of  any 
execution  satisfying  the  safety  property.  A  finite  trace  t,  is  a  prefix  of  a  (finite  or  infinite) 
trace  t' ,  denoted  t  <  t' ,  iff  t'  =  tt"  for  some  t"  G  T. 

12  Previous  work  has  identified  refinement  techniques  that  are  valid  for  use  with  certain  information-flow 
security  policies  [10,39,42]. 
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Safety  property.  A  trace  property  S'  is  a  safety  property  [4]  iff 

(V  t  G  Winf  :  t  f.  S  =>  (3  m  G  '3/fjn  :  to  <  t  A 

(V t'  G  4/inf  :  to<  t’  =>  f  i  S ))). 

Define  SP  to  be  the  set  of  all  safety  properties;  note  that  SP  is  itself  a  hyperproperty. 

We  generalize  safety  to  hypersafety  by  generalizing  the  bad  thing  from  a  finite  trace 
to  a  finite13  set  of  finite  traces.  Define  Obs  to  be  the  set  of  such  observations: 

obs  4  rfin(*«n), 

where  V^n{X)  denotes  the  set  of  all  finite  subsets  of  set  X.  Prefix  <  on  sets  of  traces 
is  defined  as  follows:14 

T  <T’  =  (Vf  G  T  :  (3i'  G  T'  :  t  <  t')). 

Note  that  this  definition  allows  T'  to  contain  traces  that  have  no  prefix  in  T. 

Safety  hyperproperty.  A  hyperproperty  S  is  a  safety  hyperproperty  (is  hyper¬ 
safety)  iff 

(VT  G  Prop  :  T  £  S  =>  (3  M  G  Obs  :  M  <  T 

A  (VT'  G  Prop  :  M  <T'  =>  T’  i  S))). 

The  definition  of  hypersafety  parallels  the  definition  of  safety,  but  the  domains  involved 
now  include  an  extra  level  of  sets.  Define  SHP  to  be  the  set  of  all  safety  hyperproperties. 
Some  consequences  of  the  definition  of  hypersafety  are; 

•  Observational  determinism  OD  (2.6)  is  hypersafety.  The  bad  thing  is  a  pair  of 
traces  that  are  not  low-equivalent  despite  having  low-equivalent  initial  states. 

•  Safety  properties  lift  to  safety  hyperproperties. 

Proposition  1.  (VS  G  Prop  :  S  G  SP  [S]  G  SHP). 

•  Set  SP  of  all  safety  properties  is  not  a  safety  hyperproperty:  there  is  no  bad  thing 
that  prevents  an  arbitrary  trace  property  from  being  extended  to  a  safety  property. 

Refinement  of  hypersafety.  Stepwise  refinement  works  with  all  safety  hyperproper¬ 
ties,  because  safety  hyperproperties  are  subset  closed  (cf.  section  2.6),  as  stated  by  the 
following  theorem. 

Theorem  1.  SHP  c  SSC. 

13  Infinite  sets  might  seem  to  be  an  attractive  alternative,  and  many  of  the  results  in  the  rest  of  this  paper 
would  still  hold.  However,  the  topological  characterization  given  in  section  6  (specifically.  Propositions  4 
and  5)  would  be  sacrificed. 

14Other  definitions  of  trace  set  prefix  are  possible,  but  inconsistent  with  our  notion  of  observation.  We 
discuss  this  in  section  6. 
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A  consequence  of  Theorem  1  is  that  any  hyperproperty  that  is  not  subset  closed 
cannot  be  hypersafety.  For  example,  generalized  noninterference  GNI  (2.5)  is  not  sub¬ 
set  closed:  a  system  containing  traces  t\  and  t2  and  interleaved  trace  <3  might  satisfy 
GNI,  but  the  subset  containing  only  l  \  and  t-2  would  not  satisfy  GNI.  Thus  GNI  cannot 
be  hypersafety. 

4  Beyond  2-Safety 

Safety  properties  enjoy  a  relatively  complete  verification  methodology  based  on  in¬ 
variance  arguments  [5].  Although  we  have  not  obtained  such  a  methodology  for  hyper¬ 
safety,  we  can  use  invariance  arguments  to  verify  a  class  of  safety  hyperproperties  by 
generalizing  recent  work  on  verification  of  secure  information  flow. 

Recall  that  secure  information  flow  is  a  hyperproperty  but  not  a  trace  property.  Re¬ 
cent  work  gives  system  transformations  that  reduce  verifying  secure  information  flow15 
to  verifying  a  safety  property  of  some  transformed  system:  Pottier  and  Simonet  [49] 
develop  a  type  system  for  verifying  secure  information  flow  based  on  simultaneous 
reasoning  about  two  executions  of  a  program.  Darvas  et  al.  [19]  show  that  secure  in¬ 
formation  flow  can  be  expressed  in  dynamic  logic.  Barthe  et  al.  [8]  give  an  equivalent 
formulation  for  Hoare  logic  and  temporal  logic,  based  on  a  self-composition  construc¬ 
tion. 

Define  the  sequential  self-composition  ofP  as  the  program  P;  P' ,  where  P'  denotes 
program  P,  but  with  every  variable  renamed  to  a  fresh,  primed  variable — for  example, 
variable  x  is  renamed  to  x' .  One  way  to  verify  that  P  exhibits  secure  information  flow 
is  to  establish  the  following  trace  property  of  transformed  program  P;  P'\ 

If  for  every  low  variable  l,  before  execution  l  =  l'  holds,  then  when  ex¬ 
ecution  terminates  l  =  l1  still  holds,  no  matter  what  the  values  of  high 
variables  were. 

Barthe  et  al.  generalize  the  self-composition  operator  from  sequential  composition  to 
any  operator  that  satisfies  certain  conditions,  and  they  note  that  parallel  composition 
satisfies  these  conditions.  They  also  relax  the  equality  constraints  in  the  above  trace 
property  to  partial  equivalence  relations.  Terauchi  and  Aiken  [60]  further  generalize 
the  applicability  of  self-composition  by  showing  that  it  can  be  used  to  verify  any  2- 
safety  property,  which  they  define  informally  as  a  “property  that  can  be  refuted  by 
observing  two  finite  traces.” 

Using  hyperproperties,  we  can  show  that  the  above  results  are  special  cases  of  a 
more  general  theorem.  Define  a  fc-safety  hyperproperty  as  a  safety  hyperproperty  in 
which  the  bad  thing  never  involves  more  than  fc  traces: 

fc-safety  hyperproperty.  A  hyperproperty  5  is  a  k-safety  hyperproperty  (is  fc- 

5  These  reductions  are  possible  because  the  particular  formulations  of  secure  information  flow  used  in 
each  work  are  actually  hypersafety.  A  formulation  that  is  hyperliveness — which  would  include  all  possibilis- 
tic  information-flow  policies,  as  discussed  in  section  5 — would  not  be  amenable  to  these  reductions. 
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safety)  iff 


(VT  G  Prop  :  T  £  S  =>  (3  M  G  Obs  :  M  <  T  A  |M|  <  fc 

A  (VT'  G  Prop  :  M  <T'  =>  T'  ^  S))). 

This  is  just  the  definition  of  hypersafety  with  an  added  conjunct  “|M|  <  fc”.  For  a 
particular  k,  define  KSHP(fc)  to  be  the  set  of  all  /.-safety  hyperproperties. 

As  an  example  of  a  fc-safety  hyperproperty  for  any  k,  consider  a  system  that  stores 
a  secret  by  splitting  it  into  k  shares.  Suppose  that  an  action  of  the  system  is  to  output 
a  share.  Then  a  hyperproperty  of  interest  might  be  that  the  system  cannot,  across  all 
of  its  executions,  output  all  k  shares  (thereby  outputting  sufficient  information  for  the 
secret  to  be  reconstructed).  We  denote  this  /'-safety  hyperproperty  as  SecSk- 

The  1 -safety  hyperproperties  are  the  lifted  safety  properties — that  is, 

KSHP(l)  =  {[ S }  |  S  G  SP} 

— since  the  bad  thing  for  a  safety  property  is  a  single  trace.  Thus  “1-safety”  and 
“safety”  are  synonymous. 

The  Terauchi  and  Aiken  definition  of  2-safety  properties  is  limited  to  deterministic 
programs  that  are  expressed  in  a  relational  model  of  execution  (which  we  address  fur¬ 
ther  in  section  7.2.1),  and  it  ignores  nonterminating  traces.  So  their  2-safety  properties 
are  a  strict  subset  of  the  2-safety  hyperproperties,  KSHP(2).  For  example,  observa¬ 
tional  determinism  OD  (2.6)  is  not  a  2-safety  property,  but  it  is  a  2-safety  hyperpro¬ 
perty. 

Define  the  parallel  self-composition  of  system  S  as  the  product  system  S  x  S  con¬ 
sisting  of  traces  over  £  x  £: 

SxS  4  {(f[0],f,[0])(f[l],f,[l])---  \t  G5  A  t'  GS}. 

Define  the  k-product  of  S,  denoted  Sfc,  to  be  the  fc-fold  parallel  self-composition  of  S, 
comprising  traces  over  £fc.  Self-composition  ,S'  x  .S’  is  equivalent  to  2-product  S2. 

Previous  work  has  shown  how  to  reduce  a  particular  formulation  of  noninterference 
of  S'  to  a  related  safety  property  of  S2  [8],  and  how  to  reduce  any  2-safety  hyperpro¬ 
perty  of  system  S  to  a  related  safety  property  of  S;  S'  [60].  The  following  theorem 
generalizes  those  results.  Let  Sys  be  the  set  of  all  systems.  For  any  system  S,  any 
fc-safety  hyperproperty  K  of  S  can  be  reduced  to  a  safety  property  K  of  Sk,  and  the 
proof  of  the  theorem  (in  appendix  D)  shows  how  to  construct  K  from  K: 

Theorem  2.  (VS  G  Sys,*  G  KSHP(fc)  :  (3 K  G  SP  :  S  |=  K  Sk  f=  I<)). 

Theorem  2  provides  a  verification  technique  for  /c-safety:  reduce  a  fc-safety  hyper¬ 
property  to  a  safety  property,  then  verify  that  the  safety  property  is  satisfied  by  Sk  using 
an  invariance  argument.  Since  invariance  arguments  are  relatively  complete  for  safety 
properties  [5],  this  methodology  is  relatively  complete  for  fc-safety. 

However,  Theorem  2  does  not  provide  the  relatively  complete  verification  proce¬ 
dure  we  seek  for  hypersafety,  because  there  are  safety  hyperproperties  that  are  not  fc- 
safety  for  any  fc.  For  example,  consider  the  hyperproperty  “for  any  fc,  a  system  cannot 
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output  all  k  shares  of  a  secret  from  a  fc-secret  sharing”: 


SecS  =  [JSccSfc.  (4.1) 

k 

SecS  is  not  /.-safety  for  any  k.  Yet  it  is  hypersafety,  since  any  trace  property  not 
contained  in  it  violates  some  SecSk- 


5  Hyperliveness 

Alpern  and  Schneider  [4]  characterize  the  “good  thing”  in  a  liveness  property  as 

•  always  possible,  no  matter  what  has  occurred  so  far,  and 

•  possibly  infinite,  so  it  need  not  be  a  discrete  event. 

For  example,  guaranteed  service  GS  (2.3)  is  a  liveness  property  in  which  the  good  thing 
is  the  eventual  response  to  a  request.  This  good  thing  is  always  possible,  because  a  state 
in  which  a  response  is  produced  can  always  be  appended  to  any  finite  trace  containing 
a  request.  And  this  good  thing  is  not  infinite  because  the  response  is  a  discrete  event, 
but  starvation  freedom,  which  stipulates  that  a  system  makes  progress  infinitely  often, 
is  an  example  of  a  liveness  property  with  an  infinite  good  thing. 

Formally,  a  good  thing  is  an  infinite  suffix  of  a  finite  trace: 

Liveness  property.  Trace  property  L  is  a  liveness  property  [4]  iff 
(Vt  G  4/fin  :  (3  i'  G  4/jnf  :  t  <  t'  A  t!  G  L)). 

Define  LP  to  be  the  set  of  all  liveness  properties.  Not  surprisingly,  LP  is  a  hyperpro¬ 
perty. 

Just  as  with  hypersafety,  we  generalize  liveness  to  hyperliveness  by  generalizing  a 
finite  trace  to  a  finite  set  of  finite  traces.  The  definition  of  hyperliveness  is  essentially 
the  same  as  the  definition  of  liveness,  except  for  an  additional  level  of  sets: 

Liveness  hyperproperty.  Hyperproperty  L  is  a  liveness  hyperproperty  (is  hyper¬ 
liveness)  iff 


(VT  G  Obs  :  (3 T'  G  Prop  :  T  <  T'  A  T'  G  L)). 

Define  LHP  to  be  the  set  of  all  liveness  hyperproperties. 

Mean  response  time  RT  (2.7)  is  not  liveness  but  it  is  hyperliveness:  the  good  thing 
is  that  the  mean  response  time  is  low  enough.  Given  any  observation  T  with  any  mean 
response  time,  it  is  always  possible  to  extend  T,  such  that  the  resulting  system  has 
a  low  enough  mean  response  time,  by  adding  a  trace  that  has  many  quick  responses. 
Note  that  if  this  policy  were  approximated  by  limiting  the  maximum  response  time  in 
each  execution,  then  the  resulting  hyperproperty  would  be  a  lifted  safety  property. 
Some  additional  consequences  of  the  definition  of  hyperliveness  are: 
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•  The  only  hyperproperty  that  is  both  hypersafety  and  hyperliveness  is  true,  de¬ 
fined  as  Prop.  The  hyperproperty  false,  defined  as  {0},  is  hypersafety  but  not 
hyperliveness.16 

•  Liveness  properties  lift  to  liveness  hyperproperties. 

Proposition  2.  (Vi  e  Prop  :  L  e  LP  [L]  €  LHP). 

•  Set  LP  of  all  liveness  properties  is  a  liveness  hyperproperty:  every  observation 
can  be  extended  to  any  liveness  property. 

•  Similarly,  set  SP  of  all  safety  properties  is  a  liveness  hyperproperty:  every  obser¬ 
vation  can  be  extended  to  a  safety  property  (whose  bad  thing  is  “not  beginning 
execution  with  one  of  the  finite  traces  in  the  observation"). 

Possibilistic  information  flow.  Some  information-flow  security  policies,  such  as  ob¬ 
servational  determinism  OD  (2.6),  restrict  nondeterminism  of  a  system  from  being 
publicly  observable.  However,  observable  nondeterminism  might  be  useful,  for  a  cou¬ 
ple  of  reasons.  First,  systems  might  exhibit  nondeterminism  due  to  scheduling.  If 
the  scheduler  cannot  be  influenced  by  secret  information  (i.e.,  the  scheduler  does  not 
serve  as  a  covert  timing  channel),  then  it  is  reasonable  to  allow  the  scheduler  to  behave 
nondeterministically.  Second,  nondeterminism  is  a  useful  modeling  abstraction  when 
dealing  with  probabilistic  systems  (which  we  consider  in  more  detail  in  section  7.2.4). 
When  the  exact  probabilities  for  a  system  are  unknown,  they  can  be  abstracted  by  non¬ 
determinism.  For  at  least  these  reasons,  there  is  a  history  of  research  on  possibilistic 
information-flow  security  policies,  beginning  with  nondeducibility  [59]  and  general¬ 
ized  noninterference  [40].  Such  policies  are  founded  on  the  intuition  that  low  observers 
of  a  system  should  gain  little  from  their  observations.  Typically,  these  policies  require 
that  every  low  observation  is  consistent  with  some  large  set  of  possible  high  behaviors. 

McLean  [42]  shows  that  possibilistic  information-flow  policies  can  be  expressed  as 
trace  sets  that  are  closed  with  respect  to  selective  interleaving  functions.  Such  func¬ 
tions,  given  two  executions  of  a  system,  specify  another  trace  that  must  also  be  an  ex¬ 
ecution  of  the  system — as  did  the  definition  of  generalized  noninterference  GNI  (2.5). 
Mantel  [38]  generalizes  from  these  functions  to  closure  operators,  which  extend  a  set 
S  of  executions  to  a  set  S'  such  that  S  C  S'.  Mantel  argues  that  every  possibilistic 
information-flow  policy  can  be  expressed  as  a  closure  operator. 

Given  a  closure  operator  Cl  that  expresses  a  possibilistic  information-flow  policy, 
the  hyperproperty  Pci  induced  by  Cl  is 

Pci  ±  {CI(T)  I  re  Prop}. 

Define  the  set  PIF  of  all  such  hyperproperties  to  be  IJ67  Pci-  It  is  now  easy  to  see  that 
these  are  liveness  hyperproperties:  any  observation  T  can  be  extended  to  its  closure. 

Theorem  3.  PIF  c  LHP. 

16The  false  property  is  the  empty  set  of  traces,  so  it  might  seem  reasonable  to  define  false  as  the  empty  set 
of  trace  sets.  But  then  the  lift  of  the  false  property  would  not  equal  false.  Note  that  false  is  not  satisfied  by 
any  system  because,  by  definition,  0  is  not  a  system. 
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Possibilistic  information-flow  policies  are  therefore  never  hypersafety.17 

Temporal  logics.  Consider  the  hyperproperty  “For  every  initial  state,  there  is  some 
terminating  trace,  but  not  all  traces  must  terminate,”  denoted  as  NNT.  In  branching¬ 
time  temporal  logic,  NNT  could  be  expressed  as 

(>  terminates ,  (5.1) 

where  terminates  is  a  state  predicate  and  (>  is  the  “not  never”  operator.18  There  is 
no  linear-time  temporal  predicate  that  expresses  NNT ,  nor  is  there  a  liveness  property 
equivalent  to  NNT  [34];  an  approximation  would  be  a  linear-time  predicate,  or  a  live¬ 
ness  property,  that  requires  every  trace  to  terminate.  However,  NNT  is  hyperliveness 
because  any  finite  trace  can  be  extended  to  a  set  of  executions  such  that  at  least  one 
execution  terminates. 

This  example  suggests  a  relationship  between  hyperproperties  and  branching-time 
temporal  predicates,  and  between  trace  properties  and  linear-time  temporal  predicates. 
We  can  make  this  relationship  precise  by  examining  the  semantics  of  temporal  logic.  In 
both  branching  time  and  linear  time,  a  semantic  model  contains  a  set  of  states  and  a  val¬ 
uation  function  assigning  a  Boolean  value  to  each  atomic  proposition  in  each  state.  Ad¬ 
ditionally,  a  branching-time  model  requires  a  current  state  and  a  set  of  traces,  whereas 
a  linear-time  model  requires  a  single  trace  [21].  These  requirements  differ  because  a 
linear-time  predicate  is  a  property  of  a  trace,  whereas  a  branching-time  predicate  is  a 
property  of  a  state  and  all  the  future  traces  that  could  proceed  from  that  state.  Thus, 
trace  properties  model  linear-time  predicates,  and  hyperproperties  model  branching¬ 
time  predicates  for  a  given  state. 

Moreover,  hyperproperties  can  express  policies  that  branching-time  predicates  can¬ 
not.  Consider  the  trace  property  “Every  trace  must  end  with  an  infinite  number  of  good 
states,”  denoted  SAG,  where  good  is  a  state  predicate.  In  linear-time  temporal  logic, 
SAG  could  be  expressed  as 

□  good ,  (5.2) 

where  -w  is  the  “sometime”  operator  and  □  is  the  “always”  operator.  SAG  is  liveness 
and  thus  hyperliveness,  but  there  is  no  branching-time  predicate  that  expresses  it  [34], 

6  Topology 

Topology  enables  an  elegant  characterization  of  the  structure  of  hyperproperties,  just 
as  it  did  for  trace  properties.  We  begin  by  summarizing  the  topology  of  trace  proper¬ 
ties  [58], 

Consider  an  observer  of  an  execution  of  a  system,  who  is  permitted  to  see  each 
new  state  as  it  is  produced  by  the  system;  otherwise,  the  system  is  a  black  box  to  the 
observer.  The  observer  attempts  to  determine  whether  trace  property  P  holds  of  the 
system.  At  any  point  in  time,  the  observer  has  seen  only  a  finite  prefix  of  the  (infinite) 

17  Another  way  to  reach  this  conclusion  is  to  observe  that  closure  operators  need  not  yield  hyperproperties 
that  are  subset  closed — yet,  by  Theorem  1,  every  safety  hyperproperty  is  subset  closed. 

18 Temporal  logic  CTL  [13]  would  express  this  formula  as  E  F  terminates. 
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execution.  Thus,  the  observer  should  declare  that  the  system  satisfies  P,  after  observing 
finite  trace  t,  only  if  all  possible  extensions  of  t  will  also  satisfy  P.  Abramsky  names 
such  properties  observable  [3], 

Like  the  bad  thing  for  a  safety  property,  a  observable  property  must  be  detectable 
in  finite  time;  and  once  detected,  hold  thereafter.  Formally,  O  is  a  observable  property 
iff 


(Vf  €  Tjnf  :  t  G  O  =>  (3  m  €  Thin  :  m  <t 

A  (V t'  G  T'inf  :  m<t!  =>  t'  G  O))). 

Define  O  to  be  the  set  of  observable  properties.  This  set  satisfies  two  closure  condi¬ 
tions.  First,  if  Oi, . . . ,  ()„  are  observable,  then  (),  is  also  observable.  Second,  if 
O  is  a  (potentially  infinite)  set  of  observable  properties,  then  Uoeo  ^  *s  a^so  observ¬ 
able.  Thus  O  is  closed  under  finite  intersections  and  infinite  unions. 

A  topology  on  a  set  S  is  a  set  T  C  V(S)  such  that  T  is  closed  under  finite  inter¬ 
sections  and  infinite  unions.  Because  O  is  so  closed,  it  is  a  topology  on  'Finf .  We  name 
O  the  Plotkin  topology,  because  Plotkin  proposed  its  use  in  characterizing  safety  and 
liveness  [4], 19 

The  elements  of  a  topology  T  are  called  its  open  sets.  A  convenient  way  to  charac¬ 
terize  the  open  sets  of  a  topology  is  in  terms  of  a  base  or  a  subbase.  A  base  of  topology 
T  is  a  set  B  C  T  such  that  every  open  set  is  a  (potentially  infinite)  union  of  elements 
of  B.  A  subbase  is  a  set  A  C  T  such  that  the  collection  of  finite  intersections  of  A  is  a 
base  for  T.  The  set 

0B  4  {Tf  |f  G'Pfin} 
is  a  base  (and  a  subbase)  of  the  Plotkin  topology,  where 

U  =  {t'  G  'Pint  |  t  <  t'} 

is  the  completion  of  a  finite  trace  t.  When  t  <  t'  we  say  that  t'  extends  t.  The  comple¬ 
tion  of  t  is  thus  the  set  of  all  infinite  extensions  of  t. 

Alpern  and  Schneider  [4]  noted  that,  in  the  Plotkin  topology,  safety  properties  cor¬ 
respond  to  closed  sets  and  liveness  properties  correspond  to  dense  sets.  A  closed  set 
is  the  complement  (with  respect  to  S )  of  an  open  set.  If  a  trace  t  is  not  a  member 
of  a  closed  set  C,  then  there  is  some  bad  thing  (specifically,  the  prefix  m  of  t  in  the 
definition  of  observable  as  instantiated  on  open  set  C,  the  complement  of  C )  that  is 
to  blame;  the  existence  of  such  bad  things  makes  C  a  safety  property.  Likewise,  a  set 
that  is  dense  intersects  every  non-empty  open  set  in  T.  So  for  any  finite  trace  t  and 
dense  set  D,  the  intersection  of  1 1  (which  is  open  because  it  is  a  member  of  Ob )  and 
D  is  nonempty.  Since  any  finite  trace  can  be  extended  to  be  in  D,  it  holds  that  I?  is  a 
liveness  property. 

We  want  to  construct  a  topology  on  sets  of  traces  that  extends  this  correspondence 
to  hyperproperties.  The  most  important  step  is  generalizing  the  notion  of  finite  observ¬ 
ability  from  trace  properties  to  hyperproperties.  Section  3  already  did  this  in  general¬ 
izing  a  finite  trace  to  a  finite  set  of  finite  traces — that  is,  an  observation.  The  observer, 

^Topology  O  is  also  the  Scott  topology  on  the  cc-algcbraic  CPO  of  traces  ordered  by  <  [58], 
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as  before,  sees  the  system  produce  each  new  state  in  the  execution.  However,  the  ob¬ 
server  may  now  reset  the  system  at  any  time,  causing  it  to  begin  a  new  execution.  At 
any  finite  point  in  time,  the  observer  has  now  collected  a  finite  set  of  finite  (thus  partial) 
executions.  An  observation  is  thus  an  element  of  Obs,  as  defined  in  section  3. 

An  extension  of  an  observation  should  allow  the  observer  to  perform  additional 
resets  of  the  system,  yielding  a  larger  set  of  traces.  An  extension  should  also  allow 
each  execution  to  proceed  longer,  yielding  longer  traces.  So  extension  corresponds  to 
trace  set  prefix  <  (cf.  section  3).  The  completion  of  observation  M  is 

t  M  =  {T  G  Prop  |  M  <T}. 

We  can  now  define  our  topology  on  sets  of  traces  in  terms  of  its  subbase: 

Osb  =  {TM  |  Mg  Obs}. 

The  base  Ob  of  our  topology  is  then  Osb  closed  under  finite  intersections.  The  base 
and  subbase  turn  out  to  be  the  same  sets. 

Proposition  3.  Ob  =  Osb . 

Finally,  our  topology  O  is  Ob  closed  under  infinite  unions. 

Define  C  to  be  the  closed  sets  in  our  topology  and  T>  to  be  the  dense  sets.  Just 
as  safety  and  liveness  correspond  to  closed  and  dense  sets  in  the  Plotkin  topology, 
hypersafety  and  hyperliveness  correspond  to  closed  and  dense  sets  in  our  generalization 
of  that  topology. 

Proposition  4.  SHP  =  C. 

Proposition  5.  LHP  =  T>. 

Our  topology  O  is  actually  equivalent  to  well-known  topology,  as  stated  by  the 
following  theorem.  The  Vietoris  (or  finite  or  convex  Vietoris)  topology  is  a  standard 
construction  of  a  topology  on  sets  out  of  an  underlying  topology  [43,61],  Our  under¬ 
lying  topology  was  on  traces,  and  we  constructed  a  topology  on  sets  of  traces.  The 
Vietoris  construction  can  be  decomposed  into  the  lower  Vietoris  and  upper  Vietoris 
constructions  [57],  which  also  yield  topologies.  Let  TJ _l(T)  denote  the  lower  Vietoris 
construction,  which  given  underlying  topology  T  on  space  X  produces  the  topology 
on  V(X)  induced  by  subbase  5j£B(T): 

°0slb(T)  4  {(O)  |  O  e  T}, 

where  (T)  is  defined20  as  follows: 

(T)  4  {u  e  v{X)  |  u nr  ^  0}. 

The  following  theorem  states  that  our  topology  is  equivalent  to  the  lower  Vietoris 
construction  applied  to  the  Plotkin  topology: 

20Operators  [■]  (from  section  2)  and  (•)  are  similar  to  modal  logic  operators  □  (necessity)  and  0  (possi- 
bility):  For  trace  property  T,  lift  [T]  denotes  the  set  of  all  refinements  of  T — that  is,  the  hyperproperty  in 
which  T  is  necessary.  Similarly,  (T)  denotes  the  set  of  all  trace  properties  that  share  a  trace  with  T — that  is, 
the  hyperproperty  in  which  T  is  always  possible. 
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Theorem  4.  O  =  TJ l(0). 

Smyth  [57]  established  that  the  lower  Vietoris  topology  is  equivalent  to  the  lower 
(or  Hoare )  powerdomain ,  which  is  a  construction  used  to  model  the  semantics  of  non¬ 
determinism  [48].  So  our  topology  embodies  the  same  intuition  about  nondeterminism 
as  the  lower  powerdomain  does. 

The  proof  of  Theorem  4  yields  another  topological  characterization  of  safety  hy¬ 
perproperties:  the  set  of  lifted  safety  properties,  closed  under  infinite  intersections  and 
finite  unions  (denoted  as  closure  operator  Clc ,  because  these  closure  conditions  char¬ 
acterize  a  topology  of  Closed  sets),  is  the  set  of  safety  hyperproperties. 

Proposition  6.  SHP  =  Clc({[S]  \  S  G  SP}). 

Defining  trace  set  prefix.  Recall  that  trace  set  prefix  <  is  defined  as  follows: 

T  <T'  =  (Vf  G  T  :  (3t'  G  T'  :  t  <  t')). 

For  clarity,  we  use  <l  instead  of  <  to  refer  to  that  definition  throughout  the  rest  of  this 
section  ( L  stands  for  Lower  Vietoris). 

Two  natural  alternatives  to  <l  are 

T  <u  T'  4  (Vf'  €  T'  :  (3f  G  T  :  t  <  t')), 

T  <c  T'  =  T  <L  T'  A  T  <u  T'. 

( U  and  C  stand  for  Upper  and  Convex  Vietoris.  These  prefix  relations  correspond  to 
the  eponymous  topologies.)  However,  both  alternatives  turn  out  to  be  unsuitable  for  our 
purposes,  because  they  do  not  correspond  to  our  intuition  about  finite  observability — as 
we  now  explain. 

Hyperproperty  O  is  observable  iff 

(VT  G  Prop  :  T  G  O  =>  (3  M  G  Obs  :  M  <  T 

A  (VT'  G  Prop  :  M  <T'  =>  T’  G  0))). 

Consider  using  <u  for  trace  set  prefix  <.  For  a  concrete  example,  suppose  that  S  = 
{a,  b,  c},  O  is  observable,  T  G  O,  and  M  =  {a,  6}.  Any  T1  such  that  M <uT'  must 
be  a  member  of  O.  Every  trace  if  in  T'  must  begin  with  either  a  or  b  and  cannot 
begin  with  c.  In  particular,  T'  might  contain  traces  beginning  only  with  b,  never  with 
a.  Observation  M  therefore  characterizes  a  system  in  which  a  nondeterministic  choice 
to  produce  c  as  the  first  state  is  not  possible.  So  with  <jj,  an  observation  records 
what  nondeterminism  is  denied,  and  all  future  extensions  of  that  observation  are  also 
required  to  deny  that  nondeterminism. 

In  contrast,  with  <l  (i.e.,  our  topology),  an  observation  records  what  nondeter¬ 
minism  has  so  far  been  permitted,  and  all  future  extensions  of  that  observation  are 
required  also  to  permit  that  nondeterminism.  Our  intuition  is  that  observers  of  a  black¬ 
box  system  can  observe  permitted  nondeterminism  (by  observing  states  produced  by 
the  system)  but  not  denied  nondeterminism.  The  definition  of  <u  does  not  correspond 
to  that  intuition,  but  the  definition  of  <  [  does.  Similarly,  using  <c  for  trace  set  prefix 
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leads  to  observations  that  record  both  permitted  and  denied  nondeterminism  (because 
<C  is  the  conjunction  of  <  /  and  <u),  and  therefore  <c  does  not  correspond  to  our 
intuition,  either. 

So  neither  the  upper  nor  the  convex  Vietoris  topology  enjoys  open  sets  that  are  the 
observable  hyperproperties;  consequently,  the  equivalence  of  closed  sets  and  hyper¬ 
safety  is  lost.  Nonetheless,  these  topologies  might  be  useful  for  other  purposes — for 
example,  in  refusal  semantics  for  CSP  [30], 


7  Beyond  Hypersafety  and  Hyperliveness 

7.1  Intersections 

Security  policies  can  exhibit  features  of  both  safety  and  liveness.  For  example,  con¬ 
sider  a  policy  on  a  medical  information  system  that  must  maintain  the  confidentiality 
of  patient  records  and  must  also  eventually  notify  patients  whenever  their  records  are 
accessed  [6],  If  the  confidentiality  requirement  is  interpreted  as  observational  determin¬ 
ism  OD  (2.6),  then  this  system  must  both  prevent  bad  things  (OD,  which  is  hypersafety) 
as  well  as  guarantee  good  things  (eventual  notification,  which  can  be  formulated  as 
liveness).  As  another  example,  consider  an  asynchronous  proactive  secret-sharing  sys¬ 
tem  [67]  that  must  maintain  and  periodically  refresh  a  secret.  Each  share  refresh  must 
complete  during  a  given  time  interval  with  high  probability.  Maintaining  the  confiden¬ 
tiality  of  the  secret  can  be  formulated  as  SecS  (4.1),  which  is  hypersafety.  The  eventual 
refresh  of  the  secret  shares  can  be  formulated  as  liveness:  every  execution  eventually 
completes  the  refresh  if  enough  servers  remain  uncompromised.  And  the  high  proba¬ 
bility  that  the  refresh  succeeds  within  a  given  time  interval  is  hyperliveness — similar 
to  mean  response  time  RT  (2.7).  Both  of  these  examples  illustrate  hyperproperties  that 
are  intersections  of  (hyper)safety  and  (hyper)liveness. 

In  fact,  as  stated  by  the  following  theorem,  every  hyperproperty  is  the  intersection 
of  a  safety  hyperproperty  with  a  liveness  hyperproperty.  This  theorem  generalizes  the 
result  of  Alpern  and  Schneider  [4]  that  every  trace  property  is  the  intersection  of  a 
safety  property  and  a  liveness  property. 

Theorem 5.  (VP  e  HP  :  (3SeSHP,Le  LHP  :  P  =  SnL)). 

7.2  System  Representations 

Recall  that  hyperproperties  are  system  properties  in  which  system  execution  is  modeled 
with  trace  sets.  Some  models  of  system  execution  are  expressed  with  other  mathemat¬ 
ical  formalisms — for  example,  Goguen  and  Meseguer’s  noninterference  GMNI  (2.4) 
models  systems  as  deterministic  state  machines. 

We  have  not  yet  classified  GMNI  as  hypersafety  or  hyperliveness.  Recall  that  our 
formalization  of  GMNI  included  the  conjunct  “T  £  SM”,  where  hyperproperty  SM 
is  the  set  of  all  trace  sets  that  encode  deterministic  state  machines.  Therefore  GMNI 
excludes  all  trace  sets  that  do  not  encode  a  deterministic  state  machine.  It  is  reasonable 
to  expect  that  GMNI  is  hypersafety;  the  bad  thing  is  a  set  {t ,  t'}  of  finite  traces  where  t' 
contains  no  high  inputs  and  contains  the  same  low  inputs  as  t,  yet  t  and  t!  have  different 
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low  outputs.  But  GMNI  fails  to  be  hypersafety  because  of  a  technicality — a  system  T 
might  fail  to  satisfy  GMNI  only  because  T  is  nondeterministic,  in  which  case  a  deter¬ 
ministic,  non-interfering  observation  of  T  would  be  remediable  hence  GMNI  would 
not  be  hypersafety.21  The  problem  is  that  the  definition  of  hypersafety,  by  quantify¬ 
ing  over  Prop,  assumed  that  systems  are  allowed  to  be  nondeterministic.  Now  that  we 
are  interested  in  a  restricted  system  representation,  we  need  to  restrict  the  definition  of 
hypersafety  and  quantify  over  a  smaller  set  of  systems.  Let  Rep  be  a  set  of  trace  sets 
denoting  a  system  representation — that  is,  a  subset  of  Prop  containing  those  trace  sets 
that  represent  systems  of  interest.  And  let  Obs  (Rep)  denote  the  subset  of  Obs  contain¬ 
ing  observations  of  Rep,  where  06s(Rep)  =  {M  G  Obs  j  (3T  G  Rep  :  M  <  T)}. 
Now  we  can  define  hypersafety  and  hyperliveness  for  a  given  system  representation. 

Safety  hyperproperty  for  system  representation  Rep.  A  hyperproperty  S  is  a 

safety  hyperproperty  for  system  representation  Rep  (is  hypersafety  for  Rep)  iff 

(VT  G  Rep  :  T  £  S  =>  (3  M  G  Obs( Rep)  :  M  <  T 

A  (VT'  G  Rep  :  M  <T'  =>  T'  S))). 

Liveness  hyperproperty  for  system  representation  Rep.  Hyperproperty  L  is  a 

liveness  hyperproperty  for  system  representation  Rep  (is  hyperliveness  for  Rep)  iff 

(VT  G  Obs( Rep)  :  (3 T'  G  Rep  :  T  <  T'  A  T'  GL)). 

GMNI  indeed  is  hypersafety  for  SM,  fulfilling  our  expectation. 

The  results  proved  in  this  paper  about  hypersafety  and  hyperliveness  generalize 
naturally  to  system  representation  besides  Prop.  Informally,  the  generalizations  are  as 
follows:22 

•  If  P  is  safety  (liveness)  for  Rep,  then  [P]  is  hypersafety  (hyperliveness)  for  Rep 
(generalizing  Propositions  1  and  2). 

•  If  P  is  hypersafety  for  Rep,  then  P  is  subset  closed  for  Rep,  but  not  necessarily 
subset  closed  for  Prop  (generalizing  Theorem  1).  Consequently,  stepwise  re¬ 
finement  does  not  necessarily  work  with  hyperproperties  that  are  hypersafety  for 
Rep. 

•  If  P  is  a  possibilistic  information-flow  policy  for  Rep,  then  P  is  hyperliveness  for 
Rep  (generalizing  Theorem  3). 

•  k -hypersafety  for  Rep  can  be  reduced  to  safety  for  Rep*  (generalizing  Theo¬ 
rem  2). 

•  Every  hyperproperty  for  Rep  is  the  intersection  of  a  safety  hyperproperty  for  Rep 
with  a  liveness  hyperproperty  for  Rep  (generalizing  Theorem  5). 

21 A  similar  problem  would  occur  even  if  we  used  implication  instead  of  conjunction  to  formalize  the 
requirement  that  systems  be  deterministic  state  machines:  any  observation  could  be  remediated  by  adding 
traces  that  represent  nondeterministic  transitions  of  the  state  machine. 

22  We  leave  generalizing  the  topological  results  as  future  work.  However,  since  the  intersection  theorem 
generalizes,  we  believe  that  the  topological  results  could  also  be  generalized. 
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Appendix  C  gives  formal  statements  of  these  results.  The  proofs  of  these  results  are  all 
straightforward  corollaries  of  the  original  results,  although  some  proofs  require  addi¬ 
tional  assumptions  about  Rep. 

We  now  explore  system  properties  in  various  system  representations — relational 
systems,  labeled  transition  systems,  state  machines,  and  probabilistic  systems — by  en¬ 
coding  each  into  trace  sets,  thus  into  hyperproperties. 

7.2.1  Relational  Systems 

In  language-based  information-flow  security  [53],  a  program  P  is  sometimes  modeled 
(e.g.,  with  large-step  operational  semantics)  as  a  relation  JJ.  such  that  (P,  s )  ])  s'  if  P 
begun  in  initial  state  s  terminates  in  final  state  s'.  Using  this  relation,  noninterference 
can  be  stated  as 


Si  =L  S2  A  (P,  Si)  D  Si  A  (P,  S2)  ])  s'  =>  s'l  =L  s'2, 

where  relation  =l  (cf.  observational  determinism  OD  (2.6))  determines  which  states 
are  low-equivalent.  This  statement  of  noninterference  is  termination  insensitive  be¬ 
cause  it  allows  information  to  leak  through  termination  channels. 

To  model  a  program  P  as  set  T  of  traces,  intuitively,  imagine  that  an  observer  of  the 
program  periodically  checks  to  see  in  what  state  the  program  is.  If  P  begun  in  initial 
state  s  never  terminates,  then  the  observer  will  see  an  infinite  sequence  containing  only 
s.  If  P  does  terminate  in  final  state  s',  then  the  observer  will  see  a  finite  sequence  of  s 
followed  by  an  infinite  sequence  of  s'.  Let  T  be  the  set  of  all  such  traces.  Formally,  T 
is  defined  as  follows: 

T  =  {te  ttinf  I  (P,  s)H.  s'  a  fes+(s'n 

U  {t  £  Tinf  j  -i(3  s'  :  (P,  s)  ])  s')  A  t  =  s“}. 

Let  Rel ,  the  set  of  all  relational  systems ,  be  the  set  of  all  trace  sets  so  constructed  for 
any  P. 

Define  termination-insensitive  relational  noninterference  as  a  hyperproperty: 

TIRNI  =  {T  <E  Prop  |  T  €  Rel 

A  (Vii,f2  €  T  :  ii[0]  =l  f2[0] 

=>  diverges(ti)  V  diverges (f2) 

V  (3s1)S2  £  E  :  terminates  (ti,  sfi) 

A  terminates (t2,  s2)  A  Si  =l  s2))}.  (7.1) 

Predicate  diverges  (t)  holds  whenever  t  is  a  trace  of  a  program  P  such  that  P  does 
not  terminate  when  begun  in  initial  state  t[0],  so  t  =  (f[0])“.  Similarly,  predicate 
terminates (t,  s)  holds  whenever  P  terminates  in  final  state  s  when  begun  in  initial 
state  f[0],  so  t  =  (i[0])+s“.  We  assume  without  loss  of  generality  that  final  states  are 
distinguishable  from  initial  states  (e.g.,  by  having  a  special  flag  set),  so  that  diverges 
and  terminates  can  distinguish  between  nontermination  and  termination  in  a  final  state 
that  otherwise  is  identical  to  an  initial  state.  TIRNI  is  hypersafety  for  Rel:  the  bad  thing 
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is  a  pair  of  traces  that  begin  in  low-equivalent  initial  states  but  terminate  in  final  states 
that  are  not  low-equivalent. 

Termination-sensitive  noninterference  is  the  same  as  termination  insensitive,  except 
that  it  forbids  one  trace  to  diverge  and  the  other  to  terminate.  So  define  termination- 
sensitive  relational  noninterference  as  follows: 

TSRNI  =  {T  G  Prop  |  T  G  Rel 

A  (Vfi,<2  €  T  :  f![0]  =l  £2(0] 

=>  ( divergesfi )  A  diverges (£2)) 

V  (3si,s2  G  E  :  terminates (t\,  Si) 

A  terminates (t2,  S2)  A  Si  =l  s2))}-  (7.2) 

Note  that  the  only  change  is  that  a  disjunction  became  a  conjunction.  TSRNI  is  not 
hypersafety  for  Rel:  A  system  containing  a  pair  { /,.  t'}  of  traces,  where  t  diverges  and 
t'  does  not,  yet  where  t  and  t'  contain  low-equivalent  initial  states,  does  not  satisfy 
TSRNI.  But  any  finite  prefix  of  this  pair  could  be  remediated  by  extending  the  prefix 
of  t  to  terminate  in  the  same  final  state  as  t' .  Likewise,  TSRNI  is  not  hyperliveness  for 
Rel:23  Consider  a  finite  observation  containing  a  pair  of  terminating  traces  that  have 
low-equivalent  initial  states  but  not  low-equivalent  final  states.  This  observation  cannot 
be  extended  to  be  in  TSRNI. 

7.2.2  Labeled  Transition  Systems 

Definitions  of  noninterference  are  sometimes  based  on  bisimulation ,  which  is  a  relation 
that  specifies  whether  two  systems  are  equivalent  to  an  observer.  Bisimulations  are 
often  expressed  over  labeled  transition  systems,  which  are  triples  (S,  L ,  —>)  where  S 

is  a  set  of  LTS-states,24  L  is  a  set  of  labels,  and  — >  is  a  relation  on  S  x  L  x  S  [45]. 

i 

Elements  of  relation  — >  are  usually  notated  si  — >  s2  and  are  interpreted  to  mean  that 
the  system  has  a  transition  labeled  t  from  LTS-state  si  to  LTS-state  s2. 

A  labeled  transition  system  (S,  L,  — »)  can  be  encoded  as  a  set  of  traces.  Define  the 
state  space  E  for  the  traces  to  be  5  x  L.25  Given  state  s  €  E,  let  st(s)  denote  the 
LTS-state  from  s,  and  let  lab(s)  denote  the  label  from  s.  Define  t,races(S ,  L,  -4)  to  be 

{t  |  (Vi  G  N  :  st{t[i])  lab^])  st(t[i  +  l]))}.26 

Let  LTS  be  the  set  of  all  trace  sets  so  constructed  for  any  LTS. 

23Terauchi  and  Aiken  [60]  characterized  termination-sensitive  noninterference  as  “2-liveness,”  where  they 
defined  “2-liveness”  as  a  “property  which  may  observe  up  to  two  possibly  infinite  traces  to  refute  the  prop¬ 
erty.”  Although  they  are  correct  that  TSRNI  could  be  refuted  by  observing  two  infinite  traces,  refutation  is 
really  about  safety,  not  liveness — there  is  no  good  thing  for  TSRNI,  but  there  is  an  infinitely-observable  bad 
thing.  So  “2-infinite-safety”  would  be  a  better  term  than  “2-liveness.” 

24We  use  the  term  LTS-state  to  distinguish  these  from  the  states  defined  in  section  2. 

25  This  construction  would  not  work  with  an  impoverished  notion  of  state,  as  observed  by  Focardi  and 
Gorrieri  [22]  for  states  that  are  elements  only  of  L. 

26 We  could  replace  lab(t[i\)  with  lab{t[i  +  1])  in  this  definition;  the  choice  of  where  to  store  the  label  is 
arbitrary. 
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We  now  demonstrate  how  to  use  this  encoding  by  formalizing  Focardi  and  Gorri- 
eri’s  [22]  definition  of  bisimulation  nondeducibility  on  compositions  (BNDC),  which 
is  a  noninterference  policy  for  nondeterministic  LTSs.  The  intuition  behind  this  pol¬ 
icy  is  that  a  system  should  appear  the  same  to  a  low  observer  no  matter  with  what 
other  system  it  is  composed  (i.e.,  run  in  parallel).  Assume  that  set  L  of  labels  can 
be  partitioned  into  three  sets  of  actions  (i.e.,  events):  a  set  of  low  security  actions, 
a  set  H  of  high  security  actions,  and  {r},  where  r  is  an  unobservable  internal  ac¬ 
tion.  An  LTS  E  =  (. S,L ,->)  satisfies  BNDC,  denoted  BNDC(E),  iff  for  all  LTSs 
F  =  (S,  H  U  {r},  — >f)  that  take  only  high  and  internal  actions, 

E/H  «  (E\F)  \  H, 

with  notations  /,  |,  \,  and  «  informally  defined  as  follows:27 

•  Hiding  operator  E/H  relabels  as  r  all  actions  from  H  that  occur  dining  execu¬ 
tion  of  E.  System  E /II  thus  represents  the  view  of  system  E  by  a  low  observer, 
since  all  the  high  actions  are  hidden. 

•  Parallel  composition  operator  E\F  denotes  the  interleaving  of  systems  E  and  F. 
The  systems  can  synchronize  on  actions,  causing  the  composed  system  to  emit 
internal  action  r. 

•  Restriction  operator  E\H  prohibits  the  occurrence  of  any  actions  from  H  dur¬ 
ing  execution  of  E,  meaning  that  no  transition  with  a  label  from  //  is  allowed. 
System  ( E\F )  \  H  thus  represents  a  low  observer’s  view  of  E  when  all  the  high 
actions  that  E  takes  are  synchronized  with  F. 

•  Weak  bisimulation  relation  E  ss  F  intuitively  means  that  E  and  F  can  simu¬ 
late  each  other:  if  E  can  take  a  transition  with  label  l,  then  there  must  exist  a 
transition  of  F  that  is  also  labeled  £,  and  after  taking  those  transitions  E  and  F 
must  remain  bisimilar.  F  is  allowed  to  take  any  number  of  internal  transitions 
(labeled  r)  before  or  after  the  (-labeled  transition.  Further,  the  relation  must  be 
symmetric,  such  that  if  E  ss  F  then  F  w  E. 

Thus,  if  E/H  ss  (E\F)  \  if,  then  a  low  observer’s  view  of  E  does  not  change  when 
E  is  composed  with  any  high  security  system  F.  The  hyperproperty  corresponding  to 
Focardi  and  Gorrieri’s  BNDC  is 

BNDC  =  {T  £  Prop  |  T  £  LTS 

A  (BE  £  LTS  :  T  =  traces (E) 

A  BNDC(E))}.  (7.3) 

BNDC  is  hyperliveness  for  LTS  because  of  the  existential  in  definition  of  «:  any 
observation  can  be  remedied  by  adding  additional  transitions.  This  remediation  corre¬ 
sponds  to  a  closure  operator  because  it  only  adds  traces,  thus  BNDC  is  a  possibilistic- 
information  flow  policy. 

Appendix  B  presents  another  bisimulation-based  noninterference  policy  as  a  hyper¬ 
property. 

27The  formal  definitions  (over  LTSs)  are  standard  and  given  by  Focardi  and  Gorrieri  [22],  It  is  straightfor¬ 
ward  to  define  them  directly  over  trace  sets. 
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7.2.3  State  Machines 


Goguen  and  Meseguer  [23]  define  a  state  machine  as  a  tuple  (S,C,0,  out,  do,  so), 
where  S'  is  a  set  of  machine  states,  C  is  a  set  of  commands,  O  is  a  set  of  outputs,  out 
is  a  function  from  S  to  O  yielding  what  output  the  user  of  the  machine  observes  when 
the  machine  is  in  a  given  state,  do  is  a  function  from  S  x  C  to  S  describing  how  the 
machine  transitions  between  states  as  a  function  of  commands,  and  so  is  the  initial  state 
of  the  machine.28  Such  state  machines  are  deterministic  because  do  is  a  function  rather 
than  a  relation. 

A  state  machine  M  =  (S,  C,  O,  out ,  do,  So)  can  be  encoded  as  a  set  of  traces.  The 
construction  proceeds  in  two  steps.  First,  M  is  encoded  as  a  labeled  transition  system 
(cf.  section  7.2.2)  by  treating  the  machine  commands  and  outputs  as  labels:  Let  the 
set  S  of  LTS-states  be  set  S  of  machine  states.  Let  the  set  L  of  labels  be  product  set 
Fx  Oof  commands  and  outputs.  Let  the  transition  relation  — >  include  (s,  (c,  o),  s') 
whenever  do(s,c)  =  s'  and  out  (s' )  =  o.  We  now  have  a  labeled  transition  system 
L  =  (S,L,—>).  Second,  the  traces  of  M  are  the  traces  of  L  that  start  with  So:  let 
traces(M)  be  traces(S,  L,  — >)  n  {t  €  fF inf  |  t [0]  =  so}. 

The  set  SM  of  all  state  machines  is  a  hyperproperty: 

SM  =  {T  e  Prop  I  (3  M  :T=  traces(M))}.  (7.4) 

As  noted  at  the  beginning  of  this  section,  GMNI  is  hypersafety  for  SM. 

7.2.4  Probabilistic  Systems 

A  probabilistic  system  is  equipped  with  a  function  p  such  that  the  system  transitions 
from  a  state  s  to  state  s'  with  probability  p(s,  s'). 29  This  probability  is  Markovian 
because  it  does  not  depend  upon  past  or  future  states  in  an  execution;  nonetheless, 
dependence  upon  the  past  or  future  can  be  modeled  by  allowing  states  to  contain  history 
or  prophecy  variables  [  1  ] .  Function  p  can  itself  even  be  encoded  into  the  state  in  various 
ways.  For  example,  state  s  could  record  p(s,  s')  for  all  states  s'.  Or  in  a  trace  t,  state  t[i] 
could  record  p(t[i],t[i  +  1]).  This  latter  encoding  is  an  instantiation  of  the  construction 
in  section  7.2.2  for  encoding  labeled  transition  systems  as  sets  of  traces;  here,  the  labels 
are  probabilities.  Either  way,  probabilistic  systems  can  be  modeled  as  sets  of  traces. 
Define  PR  to  be  the  set  of  all  trace  sets  that  encode  probabilistic  systems — that  is,  trace 
set  T  is  in  PR  if  T  encodes  a  valid  probability  function  p(-,  •). 

To  obtain  a  probability  measure  on  sets  of  traces,  let  PrS)s(T)  denote  the  probabil¬ 
ity  with  which  set  T  of  finite  traces  is  produced  by  probabilistic  system  S  beginning 
in  initial  state  s.30  O’Neill  et  al.  [47]  show  how  to  construct  this  probability  measure 
from  p.  We  now  demonstrate  how  the  measure  can  be  used  in  the  definitions  of  hyper¬ 
properties. 

28Our  definition  of  state  machines  simplifies  Goguen  and  Meseguer's  by  omitting  user  clearances,  though 
the  clearances  still  appear  in  the  definition  of  GMNI. 

29To  be  a  valid  probability,  p(s ,  s')  must  be  in  the  real  interval  [0,1]  for  all  s  and  s';  and  for  all  s,  it  must 
hold  that  p(s,  s')  =  1. 

30The  initial  state  can  be  eliminated  if  we  also  assume  a  prior  probability  on  initial  states  [26,  §6.5].  The 
requirement  that  the  traces  in  T  be  finite  is,  however,  essential  to  ensure  that  Prs  s(T)  is  a  valid  probability 
measure. 
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Probabilistic  noninterference.  In  information-flow  security,  the  original  motivation 
for  adding  probability  to  system  models  was  to  address  covert  channels  and  to  establish 
connections  between  information  theory  and  information  flow  [24,25,44],  Probabilis¬ 
tic  noninterference  [25]  emerged  from  this  line  of  research.  Intuitively,  this  policy 
requires  that  the  probability  of  every  low  trace  be  the  same  for  every  low-equivalent 
initial  state.  To  formulate  probabilistic  noninterference  as  a  hyperproperty,  we  need 
some  notation.  Let  the  low  equivalence  class  of  a  finite  trace  t  be  denoted  [£]/,,  where 

Ml  =  {t'  G  4/ fin  |  evL(t)  =  evL(t')}. 

The  probability  that  system  S,  starting  in  state  s,  produces  a  trace  that  is  low-equivalent 
to  t  is  therefore  PrSig([£]i).  Let  the  set  of  initial  states  of  trace  property  T  be  denoted 
InitfT),  where 

Init(T)  4  {s  |  {s}  <  T}. 

Probabilistic  noninterference  can  now  be  expressed  as  follows: 

PNI  =  {T  G  Prop  |  T  GPR 

A  (Vsi,s2  G  Init(T)  :  cvl{s i)  =  evi(s2) 

=>  (V£  G  'S/fin  :  PrSl, t(Ml)  =  Prs2,T(ML)))}-  (7.5) 

PNI  is  not  hyperliveness  for  PR,  because  a  system  that  deterministically  produces 
two  non-low-equivalent  traces  from  two  initial  low-equivalent  states  cannot  be  ex¬ 
tended  to  satisfy  PNI.  Whether  PNI  is  hypersafety  for  PR  depends  on  whether  state 
space  E  is  finite.  To  see  why,  consider  a  system  T  such  that  T  f  PNI  and  T  G  PR. 
We  can  attempt  to  construct  a  bad  thing  M  for  T  as  follows.  Since  T  <j  PNI,  there 
exists  a  trace  of  low  events  that  is  produced  by  initial  states  .sq  and  s2  with  differing 
probabilities.  Let  M  be  the  prefix  of  T  that  completely  determines  the  probability  of 
tr.  for  those  initial  states: 

M  =  {t  G  Tfjn  |  t[  0]  G  {si,s2}  At<T  A  evL(t)  =  tL}. 

Recall  that  bad  things  must  be  finitely  observable  and  irremediable.  M  is  irremediable 
because  no  extension  of  it  can  change  the  probability  of  for  initial  states  sq  and  s2. 
But  is  M  finitely  observable — that  is,  is  M  G  Obs?  Recall  that  an  element  of  Obs  must 
be  a  finite  set  of  finite  traces.  Each  trace  in  M  is  finite,  but  M  might  not  be  a  finite  set: 

•  If  state  space  E  is  countably  infinite,31  then  there  could  be  infinitely  many  states 
to  which  si  (and  s2)  transition.  Hence  there  could  need  to  be  infinitely  many 
traces  in  M  to  completely  determine  the  probability  of  tr,  so  M  could  not  be  in 
Obs.  Moreover,  any  finite  subset  N  of  M  would  necessarily  omit  some  states 
from  E.  So  it  might  be  possible  to  extend  N  to  a  system  T'  that  satisfies  PNI  by 
adding  traces  containing  those  omitted  states.  Thus  T  would  have  no  bad  thing, 
and  PNI  would  not  be  hypersafety  for  PR. 

31  State  space  S  cannot  be  uncountably  infinite  without  generalizing  probability  function  />(-,  •  )  to  a  prob¬ 
ability  measure. 
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•  If  E  is  finite,  then  only  finitely  many  finite  traces  are  low-equivalent  to  fa,-  Thus 
M  is  finite,  and  no  extension  of  T'  of  M  can  change  the  probability  of  f/.-  So  T' 
cannot  be  in  PNI.  Therefore  PNI  is  hypersafety  for  PR. 

Gray’s  definition  of  probabilistic  noninterference  [25]  is  hypersafety  for  PR.  because 
Gray  required  the  state  (and  input  and  output)  space  to  be  finite.  But  the  definition 
of  O’Neill  et  al.  [47]  is  neither  hypersafety  nor  hyperliveness,  because  it  allowed  a 
countably  infinite  state  space. 

Secure  encryption.  A  private-key  encryption  scheme  is  a  tuple  (Ad,  1C,  C,  Gen,  Enc, 
Dec),  where  Ad  is  the  message  space,  K,  is  the  key  space,  and  C  is  the  ciphertext  space, 
such  that  the  following  hold: 

•  Gen  is  the  key-generation  algorithm,  a  randomized  algorithm  that  produces  a 
key  k  £  1C.  We  write  k  <—  Gen  to  denote  the  sampling  of  k  from  the  probability 
distribution  induced  by  Gen. 

•  Enc  is  the  encryption  algorithm,  an  algorithm  (either  randomized  or  determinis¬ 
tic)  that  accepts  a  key  k  £  1C,  a  plaintext  message  to  £  Ad,  and  yields  a  cipher- 
text  c  £  C  that  is  the  encryption  of  to  using  k.  We  denote  this  as  c  =  Enc(m.,  k). 

•  Dec  is  the  decryption  algorithm,  a  deterministic  algorithm  that  accepts  a  key 
k  £  1C,  a  ciphertext  c  £  C,  and  yields  a  plaintext  to  that  is  the  decryption  of  c 
using  k.  We  denote  this  as  to  =  Dec(c,  k). 

•  Decryption  is  the  inverse  of  encryption.  Formally,  for  all  to  £  Ad  and  k  £  1C, 

Pr  (Dec(Enc(m,  k),  k)  =  to)  =  1. 

A  private-key  encryption  scheme  satisfies  perfect  indistinguishability  [32]  if  the  prob¬ 
ability  distribution  on  ciphertexts  is  the  same  for  all  plaintexts.  Formally,  for  all  mi, 
TO2,  and  c, 

Pr  (k  <—  Gen  :  Enc(mi,  k)  =  c)  =  Pr  ( k  <—  Gen  :  Enc(m,2,  k)  =  c) . 

Perfect  indistinguishability  can  be  formulated  as  a  hyperproperty  on  probabilistic 
systems.  To  encode  encryption  scheme  (Ad,  1C,  C,  Gen,  Enc,  Dec)  as  a  probabilistic 
system,  let  the  set  of  states  of  the  system  be 

Ad  U  1C  U  C  U  {  Gen}  U  { Enc{m ,  k)  \  k  £  1C,  m  £  Ad} 

U  { Dec(c ,  k)  |  k  £  1C,  c  £  C}. 


Let  probability  function  p( •,  •)  be  defined  such  that 

•  p{Gen,k)  =  Pr  (fc  =  Gen), 

•  p(Enc(m,  k),  c)  =  Pr  (c  =  Enc(m ,  k)),  and 

•  p(Dec(c,  k),m)  =  1  iff  Dec(c,  k)  =  to. 
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Let  the  system  so  constructed  from  (AL  1C,  C,  Gen ,  Enc,  Dec )  be  denoted 

encSys(M,K,,C ,  Gen,  Enc,  Dec), 

and  let  the  set  of  all  such  systems  be  ES.  The  following  hyperproperty  expresses  perfect 
indistinguishability: 

PI  4  {re  Prop  I  T  CES 

A  (3  A4, 1C,  C,  Gen,  Enc,  Dec  : 

T  =  encSys(M.,  IC,C,  Gen,  Enc,  Dec) 

A  (V  mi,  m2  G  A4;  c  €  C  : 

Pr  ( Enc(mi )  =  c) 

=  Pr  (Enc(m2)  =  c)))} ,  (7.6) 


where  Pr  ( Enc(m )  =  c)  denotes 

EPrG  en,T  ({Gen,  k})  ■  P rEnc(m,k),T({Enc(m,  k),c}). 
k&K 

PI  is  hypersafety  for  ES  because  any  encryption  scheme  that  is  not  in  PI  has  a 
ciphertext  c  and  two  messages  mi,  m2  such  that  the  probability  that  m±  encrypts  to  c 
is  not  equal  to  the  probability  that  m2  encrypts  to  c.  Trace  set  {Enc(m,  k),c  \  k  G 
1C,  m  G  {mi,  m2}}  thus  is  irremediable,  and  it  is  finite  assuming  that  key  space  JC  is 
finite.  So  the  trace  set  is  a  bad  thing.  But  note  that  PI  is  not  subset  closed  for  Prop,  so 
stepwise  refinement  is  not  applicable  with  PI. 

Other  definitions  of  secure  encryption,  such  as  computational  indistinguishability 
in  various  attacker  models  (including  IND-CPA  and  IND-CCA),  can  similarly  be  for¬ 
mulated  as  hyperproperties. 

Quantifying  information  flow.  Probability  can  also  be  used  to  reason  about  the 
amount  of  information  that  a  system  can  leak.  For  example,  channel  capacity  is  the 
maximum  rate  at  which  information  can  be  reliably  sent  over  a  channel  [55];  Gray  [25] 
formulates  as  a  channel  the  leakage  of  secret  information  from  a  system,  and  he  quan¬ 
tifies  the  capacity  of  that  channel.  The  hyperproperty  “The  channel  capacity  is  k  bits” 
(denoted  CCk)  is  hyperliveness  for  PR.  since  no  matter  what  the  rate  is  for  some  finite 
prefix  of  the  system,  the  rate  can  changed  to  any  arbitrary  amount  by  an  appropriate 
extension  that  conveys  more  or  less  information. 

To  measure  quantity  of  leakage  from  repeated  experiments  in  probabilistic  pro¬ 
grams,  Clarkson  et  al.  [14]  use  a  probabilistic  denotational  semantics.  This  semantics 
can  be  used  to  define  a  system,  and  the  traces  of  the  system  represent  repeated  exe¬ 
cutions  of  the  program.  The  hyperproperty  “The  quantity  of  leakage  over  every  series 
of  experiments  on  program  S  is  less  than  k  bits”  (denoted  QLk)  is  hypersafety  for  a 
variant  of  PR.  For  details,  see  Appendix  B. 
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Figure  1:  Classification  of  security  policies 


8  Concluding  Remarks 

Many  security  policies  have  been  classified  as  hyperproperties  in  this  paper.  Figure  1 
summarizes  this  classification. 

Although  this  paper  formulates  security  policies  with  hyperproperties,  security 
policies  historically  have  been  formulated  in  terms  of  confidentiality,  integrity,  and 
availability  requirements  [16, 17, 31],  The  relation  between  these  two  formulations  is 
an  open  question,  but  we  can  offer  some  observations: 

•  Information-flow  confidentiality  is  not  a  trace  property,  but  it  is  a  hyperproperty, 
and  it  can  be  hypersafety  (e.g.,  observational  determinism)  or  hyperliveness  (e.g., 
generalized  noninterference). 

•  Integrity,  which  we  have  not  discussed  in  this  paper,  includes  examples  from 
safety,  hypersafety,  and  hyperliveness. 

•  Availability  is  sometimes  hypersafety  (maximum  response  time  in  any  execution, 
which  is  also  safety)  and  sometimes  hyperliveness  (mean  response  time  over  all 
executions). 

The  classification  of  security  requirements  as  confidentiality,  integrity,  and  availability 
therefore  would  seem  to  be  orthogonal  to  hypersafety  and  hyperliveness.  Hypersafety 
and  hyperliveness  have  the  advantages  of  being  formalized  and  providing  an  orthogo¬ 
nal  basis  for  constructing  security  policies.  In  contrast,  there  is  no  formalization  that 
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simultaneously  characterizes  confidentiality,  integrity,  and  availability,32  nor  are  confi¬ 
dentiality,  integrity,  and  availability  orthogonal.33 

Finally,  no  relatively  complete  verification  methodology  exists  for  confidentiality, 
integrity,  or  availability.  But  there  is  such  a  methodology  for  trace  properties:  given 
a  trace  property  P,  construct  a  safety  property  S  and  a  liveness  property  L  such  that 
P  =  ,S’n  /,,  then  use  invariance  arguments  to  verify  S  and  well-foundedness  arguments 
to  verify  L  [4,5].  And  we  have  now  taken  steps  toward  generalizing  this  methodology 
to  apply  to  hyperproperties.  Theorem  5  shows  that  every  hyperproperty  P  can  be  ex¬ 
pressed  as  the  intersection  of  a  safety  hyperproperty  S  and  a  liveness  hyperproperty  L, 
and  the  proof  of  Theorem  5  shows  that  S  and  L  can  be  constructed  from  P.  If  S  is  a 
A;- safety  hyperproperty,  then  by  Theorem  2,  it  can  be  verified  using  reasoning  about 
safety.  It  remains  an  open  question  whether  general  methods  exist  that  are  relatively 
complete  for  verification  of  safety  hyperproperties  that  are  not  k- safety,  or  for  live¬ 
ness  hyperproperties.34  Such  methods  would  complete  the  verification  methodology 
for  hyperproperties.  Then,  security  might  take  its  place  as  “just  another”  functional 
requirement  to  be  verified. 
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A  Summary  of  Notation 

Bold  face  denotes  “hyper”  and  sans  serif  denotes  sets  of  (trace  or  hyper-)  properties. 
Predicates  and  functions  always  begin  with  lower  case,  whereas  (trace  or  hyper-)  prop¬ 
erties  always  begin  with  upper  case. 
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ssc 

SP 

< 

Obs 

SHP 

KSHP(fc) 

Sk 

Sys 

SecS 

LP 

LHP 

true 

false 

Cl 

PIF 

NNT 

SAG 

O 

T 


set  of  all  states 

set  of  all  finite  traces 

set  of  all  infinite  traces 

set  of  all  traces 

trace  index 

trace  prefix 

trace  suffix 

set  of  all  trace  properties 
powerset  operator 

trace  property  (and  hyperproperty)  satisfaction 
trace  property  “no  read  then  write” 
trace  property  “access  control” 
trace  property  “guaranteed  service” 
set  of  all  hyperproperties 

lift  of  trace  property  P  to  equivalent  hyperproperty 

hyperproperty  “Goguen  and  Meseguer’s  noninterference” 

hyperproperty  “generalized  noninterference” 

hyperproperty  “observational  determinism” 

low-indistinguishability  relation  on  states 

low-indistinguishability  relation  on  traces 

hyperproperty  “mean  response  time” 

set  of  all  subset-closed  hyperproperties 

set  of  all  safety  properties 

trace  (or  trace  set)  prefix 

set  of  all  observations 

set  of  all  safety  hyperproperties 

set  of  all  /.-safety  hyperproperties 

A;- fold  parallel  self-composition 

set  of  all  systems 

hyperproperty  “secret  sharing” 

set  of  all  liveness  properties 

set  of  all  liveness  hyperproperties 

hyperproperty  that  holds  of  all  systems 

hyperproperty  that  holds  of  no  systems 

closure  operator 

set  of  all  possibilistic  information-flow  hyperproperties 

hyperproperty  “not  never  terminates” 

trace  property  “sometime  always  good” 

open  sets  of  Plotkin  topology 

completion  of  trace  or  observation 
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o 

c 

V 

Clc 

Rep 

0&s(Rep) 

Rel 


TIRNI 
TSRNI 
LTS 
BNDC 
SM 
PR 
Pr  s,s(T) 


PNI 

ES 

PI 

CCk 

QLk 

BCNI 


open  sets  of  our  topology 

closed  sets  of  our  topology 

dense  sets  of  our  topology 

lower  Vietoris  construction 

closure  under  infinite  intersection  and  finite  union 

system  representation 

observations  of  a  system  representation 

system  representation  “relational  systems” 

hyperproperty  “termination-insensitive  noninterference” 

hyperproperty  “termination-sensitive  noninterference” 

system  representation  “labeled  transition  systems” 

hyperproperty  “bisimulation  nondeducibility  on  compositions” 

system  representation  “deterministic  state  machines” 

system  representation  “probabilistic  systems” 

probability  that  set  T  of  finite  traces  is  produced  by  probabilistic  sys¬ 
tem  S  beginning  in  initial  state  s 
hyperproperty  “probabilistic  noninterference” 
system  representation  “encryption  schemes” 
hyperproperty  “perfect  indistinguishability” 
hyperproperty  “channel  capacity” 
hyperproperty  “quantitative  leakage” 
hyperproperty  “Boudol  and  Castellani’s  noninterference” 
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B  Longer  Examples  of  Hyperproperties 


B.l  Boudol  and  Castellani’s  Noninterference 

Boudol  and  Castellani  [11]  define  a  bisimulation-based  noninterference  policy  for  con¬ 
current  programs.  To  model  this  policy  as  a  hyperproperty,  we  first  formalize  their 
model  of  program  execution.  They  model  execution  as  a  binary  relation  — >  on  program 
terms  and  memories;  a  program  term  P  and  a  memory  //  step  to  a  new  program  term 
P'  and  memory  p! .  Define  the  set  Ep  of  states  for  program  P  to  be  the  set  of  pairs 
of  a  program  term  and  a  memory,  prog(s)  to  be  the  program  term  from  state  s,  and 
mem(s)  to  be  the  memory  from  state  s.  Define  traces(P)  to  be  the  set  of  all  traces  t 
such  that  prog(t[0])  is  P,  and  for  all  i,  t[i]  — >  t[i  +  1].  This  construction  encodes  P 
as  a  set  of  traces  and  is  an  instance  of  our  general  construction  for  encoding  LTSs  (cf. 
section  7.2.2);  here  there  are  only  LTS-states  and  no  labels. 

Second,  we  formalize  Boudol  and  Castellani’s  security  policy.  Let  =p  be  an  equiv¬ 
alence  relation  on  memories  such  that  /ii  =p  /i2  means  // -j  and  pi  are  indistinguishable 
to  a  low  observer.  State  s  can  step  to  state  s'  in  program  P,  denoted  steps P(s,  s'),  if 

(3 1  G  Tinf,  *  €  N  :  t  G  traces(P)  A  t[i]  =  s  A  t [i  +  1]  =  s'). 

Define  «£  (read  “bisimilar”)  to  be  a  binary  relation  on  Ep  such  that  if  S]  is  bisimilar 
to  52,  then  Si  and  S2  must  have  indistinguishable  memories  to  a  low  observer;  further, 
if  si  can  step  to  state  s],  then  either  s'i  is  bisimilar  to  S2,  or  S2  can  step  to  s2  where  s'i 
and  s2  are  bisimilar.  Formally,  «£  is  the  largest  symmetric  binary  relation  on  Ep  such 
that 


si  S2  =>  mem(si)  =l  mem(s2) 

A  (3  s'i  6  E  :  steps P(si,  Si) 

Si  ~L  s2 

V  (3s'2  €  E  :  stepsP(s2,  s2) 

A  s'!  «£  s')). 

Relation  «')  formalizes  Definition  3.5  ((T,  £)-Bisimulation)  from  [11]. 

Boudol  and  Castellani  define  program  P  to  be  secure,  which  we  denote  BCNI  (P), 
iff  P  is  bisimilar  to  itself  in  all  initially  low-equivalent  memories; 

BCNI(P)  4  (VMi,^2  :  Mi  =i  M2  =►  (P,Mi)«f  (P,Ai2)). 

BCNI(P)  formalizes  Definition  3.8  (Secure  Programs)  from  [11],  The  hyperproperty 
containing  all  secure  programs  according  to  Boudol  and  Castellani’s  definition  is 

BCNI  =  {T  g  Prop  |  T  G  LTS  =>  (3P  :  T  =  traces(P)  A  BCNI(P))}. 

BCNI  is  hyperliveness  because  of  the  existential  quantifier  on  s2  in  the  defini¬ 
tion  of  «£;  any  observation  that  contains  traces  leading  to  non-bisimilar  states  can  be 
remedied  by  adding  additional  traces  leading  to  bisimilar  states.  This  remediation  cor¬ 
responds  to  a  closure  operator  because  it  only  adds  traces,  thus  BCNI  is  a  possibilistic 
information-flow  policy. 
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B.2  Quantitative  Information  Flow 

We  summarize  the  model  of  Clarkson  et  al.  [14],  A  state  has  an  immutable  high  com¬ 
ponent  and  a  mutable  low  component.  A  repeated  experiment  on  probabilistic  program 
S'  is  a  finite  sequence  of  executions  of  S.  Each  individual  execution  is  an  experiment . 
An  execution  is  represented  by  two  states:  an  initial  state,  in  which  inputs  are  provided 
to  the  program,  and  a  final  state,  in  which  outputs  are  given  by  the  program.  All  ini¬ 
tial  states  (across  all  executions)  in  a  repeated  experiment  must  have  the  same  high 
component  but  may  have  different  low  components.  The  probabilistic  behavior  of  S 
is  modeled  by  a  semantics  [S]  that  maps  inputs  states  to  output  distributions,  where 
([51s)  (s')  is  the  probability  that  S  begun  in  state  s  terminates  in  state  s'.  An  attacker 
begins  an  experiment  with  a  prebelief  about  the  high  component  of  the  initial  state.  Af¬ 
ter  observing  the  output  of  the  execution,  the  attacker  updates  his  prebelief  to  produce 
a  postbelief  about  the  high  component  of  the  initial  state. 

We  here  use  traces  and  events  to  represent  repeated  experiments,  where  each  state 
in  a  trace  produces  an  event.35  The  events  alternate  between  input  and  output,  and  the 
first  event  in  a  trace  must  be  an  input.  Each  output  must  have  the  correct  probability  of 
occurring  according  to  [S']  and  the  most  recent  input.  Each  low  input  component  may 
vary,  but  the  high  component  must  be  the  same  in  each  input.  Let  SystfS )  denote  the 
system  of  such  traces  resulting  from  program  S: 

Syst(S)  =  {t  €  T'fin  |  (Vi  :  0  <  2i  +  1  <  |t| 

=4-  evHin(t[2i\)  =  evHin(t[ 0]) 

A  p(t[2i],t[2i  +  1])  =  |[S]f[2i])(f[2i  +  1]))}, 

where  \t\  denotes  the  length  of  finite  trace  t,  and  p(-,  •)  is  the  probability  function  used 
in  section  7.2.4.  From  Syst(S)  we  can  construct  probability  measure  P rs,Syst(S)’  also 
used  in  section  7.2.4. 36  The  set  of  program  states  must  be  finite  for  the  probability 
measure  to  be  well-defined. 

Each  pair  of  states  t[i]  and  t[i  +  1]  (for  even  i )  in  repeated  experiment  t  yields 
an  experiment.  An  experiment  is  described  formally  by  a  prebelief,  a  high  input,  a 
low  input,  a  low  output,  and  a  postbelief.  As  part  of  determining  the  postbelief  for  an 
experiment,  the  attacker’s  prediction  6A  of  the  low  output  is  calculated  from  prebelief 
bn  and  low  input  l : 

6A{bH,l )  =  ><s  .bH(evHin(s))  ■  Prr,Syst(S){{rs}), 

where  r  is  the  state  that  has  evHin(s)  as  its  high  component  and  l  as  its  low  component. 
Denote  the  ith  experiment  in  trace  t ,  with  initial  prebelief  6#,  as  £ (t,  i,  bn)-  We  define 

35  A  representation  in  which  each  finite  trace  contains  two  states  (initial  and  final)  might  seem  to  be  suitable 
for  repeated  experiments.  That  representation  would  fail  to  preserve  the  order  in  which  inputs  are  provided 
(in  initial  states)  across  the  sequence  of  executions  in  the  repeated  experiment.  However,  a  single  trace  with 
many  states  does  capture  this  order. 

36Note  that  p(s,  s')  is  defined  only  at  every  other  state  in  each  trace  of  Syst(S),  so  to  construct  the 
measure  we  treat  each  pair  of  states  in  the  trace  a  single  state. 
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£(t,  i,  bn)  using  OCaml-style  record  syntax: 

—  {  preBelief  =  if  i  >  0  then  £(t,  i  —  l).postBelief  else  bit', 
highln  =  ev  Hin(t[2i}); 
lowln  =  evz,(t[2i]); 
lowOut  =  evL(t[2i  +  1]); 
postBelief  =  (Sa^hJ)  \  lowOut)  \H  }, 

where  |  is  the  distribution  conditioning  operator,  and  |  is  the  distribution  projection 
operator,  from  [14], 

The  quantity  of  flow  in  experiment  £(t,  i,  bn),  denoted  Q(£(t,  i,  bn)),  is  defined 
in  [14,  §4];  we  do  not  repeat  the  formalization  here.  The  quantity  of  flow  over  repeated 
experiment  t  with  initial  prebelief  bn,  denoted  Q(t,  bn),  is  the  sum  of  the  flow  for  each 
experiment  in  t: 

(|t|-l)/2 

Q(t,bH)  ^ 

i= 0 

Hyperproperty  QLk  is  the  set  of  all  systems  that  exhibit  at  most  k  bits  of  flow  over  any 
experiment: 

QLk  =  {Te  Prop  |  (3  S:T=  Syst(S)  =►  (Vt  GT,bH  :  Q(bH,t)  <  *))}. 
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C  System  Representation  Results 

The  results  that  appear  before  section  7.2  implicitly  assume  that  the  system  represen¬ 
tation  is  Prop.  Section  7.2  generalizes  those  results  to  an  arbitrary  representation  Rep, 
where  Rep  is  a  set  of  trace  sets.  We  now  give  the  formal  statements  of  those  generalized 
results. 

Let  Tr(Rep)  denote  the  set  of  all  traces  that  are  contained  in  any  system  in  Rep — 
that  is,  Tr(Rep)  =  UreRep  L-  Let  Obs(Tr(  Rep))  denote  the  set  of  all  finite  traces  that 
are  prefixes  of  some  trace  in  Tr(Rep) — that  is,  Obs(Tr( Rep))  =  {t  G  Thin  |  (3 1'  £ 
Tr(Rep)  :  t  <  t')}.  Let  the  lift  [P]Rep  of  property  P  in  Rep  be  V(P)  IT  Rep. 

To  generalize  safety  and  liveness  to  system  representations,  it  suffices  to  replace 
4/ jnf  with  Tr(Rep),  and  T'fin  with  Obs(  Tr(Rep)).  A  trace  property  S'  is  a  safety  prop¬ 
erty  for  system  representation  Rep  iff 

(Vf  G  Tr(Rep)  :  t  £  S  =>  (3  m  G  06s(7r(Rep))  :  m  <  t 

A  (Vf'  G  Tr(Rep)  :  to  <  f'  =►  f  (£  S))). 

A  trace  property  L  is  a  liveness  property  for  system  representation  Rep  iff 

(Vf  €  06s(Tr(Rep))  :  (3 1'  G  Tr( Rep)  :  t  <  t'  A  t'  €  L)). 

Let  SP(Rep)  be  the  set  of  all  safety  properties  for  Rep,  and  let  LP(Rep)  be  the  set 
of  all  liveness  properties  for  Rep.  Likewise,  let  SHP(Rep)  be  the  set  of  all  safety 
hyperproperties  for  Rep,  and  let  LHP(Rep)  be  the  set  of  all  liveness  hyperproperties 
for  Rep. 

The  following  results  are  simple  corollaries  of  the  original  results,  although  in  some 
cases  additional  assumptions  are  needed  about  Rep. 

Generalization  of  Proposition  1.  If  (V  f  G  Tr(Rep)  :  {/}  G  Rep),  then 

(V5GP( Rep)  :  S  G  SP(Rep)  <=»  [S]Rep  G  SHP(Rep)). 

The  forward  direction  of  this  generalization  always  holds,  but  the  backward  direction 
(<t=)  might  not  hold  if  Rep  does  not  allow  individual  traces  from  Tr (Rep)  to  be  repre¬ 
sentations:  the  bad  thing  for  a  safety  hyperproperty  could  never  be  an  individual  trace, 
hence  the  safety  hyperproperty  could  not  be  the  lift  of  a  safety  property.  So  the  back¬ 
ward  direction  requires  the  assumption  that  any  individual  trace  in  Tr  (Rep)  is  itself  a 
system  representation  in  Rep — that  is,  (Vf  G  Tr(Rep)  :  {f}  G  Rep).  Note  that  Prop 
satisfies  this  assumption. 

Generalization  of  Proposition  2.  If(VTC  Tr( Rep)  :  Tg  Rep),  then 

(VL  G  P(Rep)  :  L  G  LP(Rep)  «<=►  [L\ Rep  G  LHP(Rep)). 

The  backward  direction  of  this  generalization  always  holds,  but  the  forward  direction 
(==>)  might  not  hold  if  Rep  does  not  allow  arbitrary  unions  of  individual  traces  from 
Tr(Rep)  to  be  representations:  the  individual  good  things  for  a  liveness  property,  when 
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unioned,  would  not  necessarily  be  good  for  the  lift  of  that  liveness  property.  So  the 
forward  direction  requires  the  assumption  that  arbitrary  unions  of  individual  traces  in 
Tr(Rep)  are  themselves  system  representations  in  Rep — that  is,  (VT  C  Tr(Rep)  : 
T  G  Rep).  Note  that  Prop  satisfies  this  assumption. 

Generalization  of  Theorem  1.  If(3TG  LP(Rep)  :  L  /  Tr(Rep)),  then 

SHP(Rep)  c  SSC(Rep). 

SSC(Rep)  is  the  set  of  all  hyperproperties  for  Rep  that  are  subset  closed  on  Rep: 

P  G  SSC(Rep)  (VT  €  P  :  (VT'  G  Rep  :  T'  C  T  =>  T'  £  P)). 

The  strictness  of  the  subset  in  the  theorem  generalization  requires  the  assumption  that 
there  exist  subset-closed  hyperproperties  that  are  not  safety.  But  it  suffices  to  instead 
assume  that  hyperliveness  is  not  trivial  for  Rep — that  is,  (3  L  £  LP(Rep)  :  L  ^ 
Tr(Rep)).  Note  that  Prop  satisfies  both  assumptions. 

Generalization  of  Theorem  2. 

(VS  G  Rep,*  G  KSHP(fc)(Rep)  :  (3 K  £  SP(Rep)  :  S  \=  K  <=*  Sk  |=  K)). 

KSHP(fc)(Rep)  is  the  subset  of  SHP(Rep)  where  the  size  of  bad  thing  M  is  bounded 
by  k. 

Generalization  of  Theorem  3.  If  there  exists  some  liveness  hyperproperty  for  Rep 
that  is  not  a  possibilistic  information-flow  policy  for  Rep,  then 

PIF(Rep)  c  LHP(Rep). 

PIF(Rep)  is  the  set  of  all  possibilistic  information-flow  policies  expressed  by  closure 
operators  Cl  of  type  Rep  — >  Rep.  The  strictness  of  the  subset  requires  the  assump¬ 
tion  of  the  existence  of  a  liveness  hyperproperty  for  Rep  that  is  not  a  possibilistic 
information-flow  policy  for  Rep.  Note  that  Prop  satisfies  this  assumption. 

Generalization  of  Theorem  5. 

(VPGT(Rep)  :  (3S  G  SHP(Rep),L  G  LHP(Rep)  :P  =  SnL)). 

The  proof  of  this  generalization  requires  the  following  generalized  definition: 

Safe(P)  =  {T  G  Rep  |  (VM  G  06s(Rep)  :  M  <T 

=>  (3Tg  Rep  :  M  <T'  A  T'  £  /*))}. 

Also,  in  the  definition  of  Live(P),  notation  H  must  now  denote  the  complement  of 
hyperproperty  H  with  respect  to  Rep. 
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D  Proofs 


Bueno  and  Clarkson  [12]  have  formally  verified  Propositions  1  and  2,  Theorems  2,  3, 
and  5,  and  an  analogue  of  Theorem  1  using  the  Isabelle/HOL  proof  assistant  [46].  We 
believe  that  the  remaining  proofs  could  also  be  formally  verified. 

Proposition  1.  (V S  G  Prop  :  S  G  SP  4=>  [S]  e  SHP). 

Proof.  By  mutual  implication. 

(=>)  Let  S  be  an  arbitrary  safety  property.  We  want  to  show  that  [5]  is  a  safety 
hyperproperty — that  is,  any  trace  property  T  not  in  [5]  contains  some  bad  thing. 

First,  we  find  a  bad  thing  M  for  T.  By  the  definition  of  lifting,  [S']  =  V(S)  = 
{P  e  Prop  |  P  C  S}.  Since  T  is  not  in  this  set,  T  %  S.  So  some  trace  t  is  in 
T  but  not  in  S.  By  the  definition  of  safety,  if  t  S,  there  is  some  finite  trace  m 
that  is  a  bad  thing  for  S.  So  no  extension  of  to  is  in  S.  Define  M  to  be  {m}. 

Second,  we  show  that  M  is  irremediable.  Note  that  M  <  T  because  m  <  t  and 
t  £  T.  Let  T'  be  an  arbitrary  trace  property  that  extends  M — that  is,  M  <  T' . 
By  the  definition  of  <,  there  exists  at'  £  T'  such  that  m  <  t'.  We  established 
above  that  no  extension  of  m  is  in  S,  so  t'  (j  S.  But,  again  by  the  definition  of 
lifting,  T'  [5],  since  T'  contains  a  trace  not  in  S. 

Thus,  by  definition,  [5]  is  hypersafety. 

(*t=)  Let  S  be  an  arbitrary  trace  property  such  that  [5]  is  hypersafety.  We  want  to 
show  that  S  is  safety.  Our  strategy  is  as  above — we  find  a  bad  thing  and  then 
show  that  it  is  irremediable. 

Consider  any  t  such  that  t  S.  By  the  definition  of  lifting,  we  have  that  {t }  ^ 
[5],  By  the  definition  of  hypersafety  applied  to  [5],  there  exists  an  M  <  {f} 
such  that  for  all  V  >  M,  we  have  T'  ^  [S\. 

We  claim  that  M  must  be  non-empty.  To  show  this,  suppose  for  sake  of  con¬ 
tradiction  that  M  is  empty.  Then  M  is  a  prefix  of  every  trace  property  T' ,  so 
no  T'  can  be  a  member  of  S,  which  implies  that  [5]  itself  must  be  empty.  But 
[5]  =  'P(S),  so  [5]  must  at  least  contain  S'  as  a  member.  This  is  a  contradiction, 
thus  M  is  non-empty  and  contains  at  least  one  trace. 

All  traces  in  M  must  be  prefixes  of  t,  by  the  definition  of  <.  Choose  the  longest 
such  prefix  in  M  and  denote  it  as  m* .  This  m*  serves  as  a  bad  thing  for  t,  as  we 
show  next. 

Let  t'  be  arbitrary  such  that  to*  <  t' ,  and  let  T'  =  {t'}.  By  the  transitivity  of 
<,  we  have  M  <  T' ,  so  T'  (j  [S]  by  the  above  application  of  the  definition  of 
hypersafety.  But  this  implies  that  t'  f  S,  by  the  definition  of  lifting. 

We  have  shown  that,  for  any  t  ^  S,  there  exists  an  m  <  t,  such  that  for  any 
t'  >  to,  we  have  t/  S.  Therefore,  S  is  safety,  by  definition.  □ 
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Theorem  1.  SHP  c  SSC. 

Proof.  Assume  that  S  is  hypersafety.  For  sake  of  contradiction,  also  assume  that  S  is 
not  subset  closed.  This  latter  assumption  implies  that  there  exist  two  trace  properties 
T  and  T'  such  that  T  £  S,  and  T'  (f  S,  yet  T'  C  T.  By  the  definition  of  hypersafety, 
since  T'  ({  S,  there  exists  an  observation  M  that  is  a  bad  thing  for  T' — that  is,  M  <  T' 
and  for  all  T"  such  that  M  <  T" ,  it  holds  that  T"  f  S.  Consider  this  M.  By  the 
definition  of  <,  since  T'  C  T  and  M  <  T' ,  we  have  M  <  T.  Then  T  is  an  instance 
of  T"  above,  which  means  T  (j-_  S.  But  this  contradicts  T  £  S.  Therefore,  S  must  be 
subset  closed. 

To  see  that  the  subset  relation  is  strict,  define  the  trace  property  true  as 
Consider  any  liveness  property  L  other  than  true — for  example,  guaranteed  service 
GS  (2.3).  When  lifted  to  hyperproperty  [L],  the  result  is  subset  closed  by  definition 
of  [•].  By  Proposition  2  below  (whose  proof  does  not  depend  on  this  theorem),  \L\ 
is  hyperliveness.  Since  L  is  not  true,  we  have  that  [L]  is  not  true,  which  is  the  only 
hyperproperty  that  is  both  hypersafety  and  hyperliveness.  So  [ L \  cannot  be  hypersafety. 
Thus  [ L \  is  a  hyperproperty  that  is  not  hypersafety  but  is  subset  closed.  □ 

Theorem  2.  (VS  €  Sys,K  e  KSHP(fc)  :  (3  K  £  SP  :  S  |=  K  <=>  Sk  \=  K)). 

Proof.  Let  K  be  an  arbitrary  fc-safety  hyperproperty  of  system  S.  Our  strategy  is  to 
construct  a  safety  property  K  that  holds  of  system  Sk  exactly  when  K  holds  of  S. 

Since  K  is  /c-safety,  every  trace  property  not  contained  in  it  has  some  bad  thing  of 
size  at  most  k — that  is,  for  all  T  ^  K,  there  exists  an  observation  M  where  \M\  <  k 
and  M  <  T,  such  that  for  all  V  where  M  <  T' ,  it  holds  that  T'  (j  K.  Construct  the 
set  M  of  all  such  bad  things: 

M  =  {Me  Obs  I  \M\  <  k  A  (3  T  £  Prop  :  T  <£  K  A  M  <T) 

A  (VT'e  Prop  :  M  <T'  =>  T'  K)}. 

Next  we  define  some  notation  to  encode  a  set  of  traces  as  a  single  trace.  Consider 
a  trace  property  T  such  that  \T\  <  k.  Construct  a  finite  list  of  traces  fi,  f2,  •  •  ■ ,  ffc  such 
that  t-i  £  T  for  all  i.  Further,  we  require  that  no  ti  is  equal  to  any  f,  for  any  i  and  l, 
unless  \T\  <  k.  We  construct  a  trace  t  such  that  t[j]  is  the  tuple  (t-\  [)],  t<2 [j],  ■  ■  ■ ,  ffc [.?]); 
note  that  t  is  a  trace  over  state  space  £fe.  Let  trace  t  so  constructed  from  T  be  denoted 
zipk(T),  and  let  the  inverse  of  this  construction  be  denoted  unzipk(t );  note  that  zipk{-) 
and  unzip k(-)  are  partial  functions.  We  can  also  apply  this  notation  to  observations, 
which  are  finite  sets  of  finite  traces.37 

Now  we  can  construct  safety  property  I\ .  Let  K  be  the  set  of  traces  over  Efc  such 
that  no  trace  in  K  encodes  an  extension  of  any  bad  thing  M  £  M: 

K  =  {tk  |  n(3M  £  Obs  :  M  £  M  A  zipk{M)  <  tk)}, 

37  In  this  case,  the  /,,  have  finite  and  potentially  differing  length.  So  if  j  >  |tj|,  let  t  ,  \  f  =  _L  for  some 
new  state  _L  ^  S.  Thus,  zipk(T)  is  a  trace  over  state  space  (E  U  -L)L  We  redefine  trace  prefix  <  over  this 
space  to  ignore  _L:  letf  <  t'  iff,  for  some  t"  that  is  a  trace  over  E,  [ /]  =  \t'~\t" ,  where  [ /]  is  the  truncation 
of  t  that  removes  any  _L  states.  For  notational  simplicity,  we  omit  this  technicality  in  the  remainder  of  the 
proof. 
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where  tk  denotes  a  trace  t  over  space  £fc. 

To  see  that  K  is  safety,  suppose  that  tk  (f  K.  Then  by  the  definition  of  K,  there 
must  exist  some  M  £  M  such  that  zipk(M)  <  tk.  Consider  any  trace  uk  >  zipk(M). 
By  the  definition  of  K ,  we  have  that  uk  f  K.  Thus,  for  any  trace  tk  not  in  I\,  there  is 
some  finite  bad  thing  zipk(M),  such  that  no  extension  uk  of  the  bad  thing  is  in  K.  By 
definition,  K  is  therefore  safety. 

Finally,  we  need  to  show  that  S  satisfies  K  exactly  when  Sk  satisfies  K.  We  do  so 
by  mutual  implication. 

(=>)  Suppose  S  |—  K.  Then,  by  definition,  S  £  K.  For  sake  of  contradiction,  suppose 
that  Sk  %  K.  Then,  by  the  definition  of  subset,  there  exists  some  tk  £  Sk  such 
that  tk  K.  Let  T  be  unzip  k(tk) .  By  the  definition  of  K.  there  must  exist  some 
M  £  M  such  that  zipk(M)  <  tk.  Applying  unzipk(-)  to  this  predicate,  and 
noting  that  unzip  is  monotonic  with  respect  to  <,  we  obtain  M  <  unzip k(tk). 
By  the  definition  of  T,  we  then  have  that  M  <  T.  By  the  construction  of  M,  T 
therefore  cannot  be  in  K.  By  the  construction  of  Sk  and  the  definition  of  T,  each 
trace  in  T  must  also  be  a  trace  of  S.  So  by  definition,  T  <  S.  By  transitivity, 
we  have  that  M  <  S.  By  the  construction  of  M,  S  then  cannot  be  in  K.  But  this 
contradicts  the  fact  that  S  £  K.  Therefore,  Sk  C  K,  so  by  definition  Sk  |=  K. 

(s=)  Suppose  Sk  |=  K.  Then,  by  definition,  Sk  C  K .  Suppose,  for  sake  of  con¬ 
tradiction,  that  S  does  not  satisfy  K.  Then,  by  definition,  S  ((  K.  Since  K  is 
/c-safety,  this  means  that  there  exists  an  M  <  S,  where  \M\  <  k,  such  that  for 
all  T'  >  M,  T'  £  K.  Let  mk  be  zipk{M),  and  let  sk  be  a  trace  of  Sk  such  that 
mk  <  sk  (such  a  trace  must  exist  since  M  <  S).  By  the  construction  of  K,  for 
any  tk  >  mk,  we  have  that  tk  ^  K.  Therefore,  sk  (f  K,  and  it  follows  that 
Sk  %  K.  But  this  contradicts  the  fact  that  Sk  C  K.  Therefore,  S  £  K,  so  by 
definition  S  \=  K.  □ 

Proposition  2.  (Vie  Prop  :  L  £  LP  [L]  £  LHP). 

Proof.  By  mutual  implication. 

(=>)  Let  L  be  an  arbitrary  liveness  property.  We  want  to  show  that  \L\  is  a  liveness 
hyperproperty — that  is,  any  observation  M  can  be  extended  to  a  trace  property  T 
that  is  contained  in  [L\ .  So  let  M  be  an  arbitrary  observation.  By  the  definition  of 
liveness,  for  each  m  £  M,  there  exists  some  t>m  such  that  t  £  L.  For  a  given 
m,  let  that  trace  t  be  denoted  tm.  Construct  the  set  T  =  (J Since  all 
the  trn  are  elements  of  /.,  we  have  T  £  L.  By  the  definition  of  lifting,  it  follows 
that  T  is  contained  in  [L\.  Further,  T  extends  M  by  the  construction  of  T.  Thus, 
T  satisfies  the  requirements  of  the  trace  property  we  needed  to  construct.  By 
definition,  [L]  is  hyperliveness. 

(^=)  Let  L  be  an  arbitrary  property  such  that  [L\  is  hyperliveness.  We  want  to  show 
that  L  is  liveness.  So  consider  an  arbitrary  trace  t,  and  let  T  =  { I } .  Since  \L\ 
is  hyperliveness,  we  have  that  there  exists  a  T'  such  that  T  <T'  and  T'  £  \L\ . 
Since  T  <T'  and  T  =  {f},  there  exists  a  t!  such  that  t  <t'  and  t'  £  T' ,  by  the 


45 


definition  of  <.  By  the  definition  of  lifting,  if  t'  £  T'  £  \L\,  then  it  must  be  the 
case  that  t'  £  L.  Thus,  for  any  t,  there  exists  a  t'  such  that  t  <  t'  and  t'  £  L. 
Therefore,  L  is  liveness,  by  definition.  □ 

Theorem  3.  PIF  c  LHP. 

Proof.  Let  P  be  an  arbitrary  possibilistic  information-flow  hyperproperty,  and  let  Cl p 
be  the  closure  operator  that  Mantel  [38]  would  associate  with  P.38  Then,  by  Mantel’s 
Definition  10,  it  must  be  the  case  that  P  =  {  Clp(T )  |  T  £  Prop}.  Closure  operators 
must  satisfy  the  axiom  (V  X  :  X  C  Cl(X)),  which  we  use  below. 

To  show  that  P  is  hyperliveness,  let  T  £  Obs  be  arbitrary.  By  the  definition  of 
hyperliveness,  we  need  to  show  that  there  exists  a  T'  £  Prop  such  that  T  <  T'  and 
T'  £  P.  Let  T'  be  Clp(T),  where  T  denotes  the  embedding  of  T  into  Prop  by  infinitely 
stuttering  the  final  state  of  each  trace  in  T,  as  discussed  in  section  2.  By  the  closure 
axiom  above,  we  have  that  T  C  Clp(T).  So  by  the  definition  of  <,  we  can  conclude 
T  <  Clp(T)  =  T' .  Further,  T'  must  be  an  element  of  P  since  it  is  the  G7/>-closure  of 
trace  property  T.  Therefore,  T'  satisfies  the  required  conditions,  and  P  is  hyperliveness. 

To  see  that  the  subset  relation  is  strict,  consider  liveness  property  GS  (guaranteed 
service)  from  section  2.  It  corresponds  to  liveness  hyperproperty  [GS1],  but  has  no 
corresponding  closure  operator.  For  suppose  that  such  a  closure  operator  did  exist, 
and  consider  an  infinite  trace  t  in  which  service  fails  to  occur.  The  closure  of  any  set 
containing  t  must  still  contain  t,  by  the  axiom  above.  But  then  the  closure  does  not 
satisfy  GS,  and  so  the  closure  operator  cannot  correspond  to  [GS1].  □ 

Proposition  3.  Ob  =  Osb . 

Proof.  By  mutual  containment. 

(2)  By  definition,  the  elements  of  Ob  are  finite  intersections  of  elements  of  Osb  . 
Thus,  every  element  of  Osb  is  already  trivially  an  element  of  Ob . 

(C)  Let  N  be  an  arbitrary  element  of  O By  the  definition  of  a  base,  we  can  write  N 
as  f]i  }  Mi,  where  i  ranges  over  a  finite  index  set  and  each  Mj  is  an  observation. 
We  want  to  show  that  there  exists  an  element  }  TV  of  Osb  such  that  N  =}  N . 
So  consider  N.  Every  trace  property  T  in  it  must  extend  every  Mj.  Thus,  by  the 
definition  of  <,  every  such  trace  property  T  extends  [J  ■  Mi.  Therefore  N  =} 
U,:  Mj.  Our  desired  observation  N  is  thus  (J?.  Mj.  Note  that,  for  N  to  be  a  valid 
observation,  it  must  be  a  finite  set.  The  union  over  Mj  must  therefore  result  in  a 
finite  set — which  it  does,  since  i  ranges  over  a  finite  index  set.  □ 

38More  precisely.  Mantel  argues  that  every  “possibilistic  information-flow  property  [sic]”  can  be  expressed 
as  a  basic  security  predicate,  and  that  each  basic  security  predicate  induces  a  set  of  closure  operators.  Any 
element  of  this  set  suffices  to  instantiate  Clp.  Also,  Mantel’s  closure  operators  were  over  finite  traces,  and 
we  have  generalized  to  infinite  traces. 
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Proposition  4.  SHP  =  C. 

Proof.  By  mutual  containment. 

(C)  Let  S  be  an  arbitrary  safety  hyperproperty.  We  need  to  show  that  it  is  also  a 
closed  set.  By  the  definition  of  closed,  this  is  equivalent  to  showing  that  S  is  the 
complement  of  an  open  set.  Our  strategy  is  to  construct  hyperproperty  O.  show 
that  O  and  S  are  equal,  and  show  that  O  is  open. 

By  the  definition  of  hypersafety,  we  have  that  any  trace  property  T  that  is  not  a 
member  of  S — and  thus  is  a  member  of  S — must  contain  some  bad  thing.  Con¬ 
sider  the  set  M  £  'P(Obs)  of  all  bad  things  for  S.  M  contains  one  or  more 
elements  for  every  trace  property  in  S: 

M  =  {M  £  Obs  |  (3  T  £  S  :  M  <  T 

A  (VT'  G  Prop  :  M  <T'  =>  T'  G  S))}. 

Next,  define  O  as  the  completion  of  M — that  is,  the  set  of  all  trace  properties  that 
extend  a  bad  thing  for  S : 

O  =  (J  t  M 

mgm 

=  {T  |  (3M  GM  :  M  <  T)},  (D.l) 

where  the  equality  follows  by  the  definition  of  |  M.  Since  each  such  trace  prop¬ 
erty  T  violates  S.  we  would  suspect  that  O  is  the  complement  of  S.  This  is  indeed 
the  case: 

Claim.  O  =  S 

Proof.  By  mutual  containment. 

(C)  Suppose  T  G  O.  Then  by  equation  D.l,  there  is  some  M  G  M 
such  that  M  <  T.  By  the  definition  of  M,  any  extension  of  M  is 
an  element  of  S.  Since  T  is  such  an  extension,  T  G  S. 

Q)  Suppose  T  G  S.  Then  T  (j  S.  so  by  the  definition  of  hypersafety, 

(3 M  G  Obs  :  M  <  T  A  (VT'  G  Prop  :  M  <  T  T  £ 

S)).  Consider  that  M.  It  must  be  a  member  of  M,  by  definition. 

Since  M  <  T.  we  have  that  T  £  O  by  equation  D.l.  □ 

All  that  remains  is  to  show  that  O  is  open.  First,  note  that  ]  M.  for  any  M  £  Obs, 
is  by  definition  an  element  of  Osb .  Thus  each  of  the  sets  |  M  in  the  definition 
of  O  is  open.  Second,  by  the  definition  of  open  sets,  a  union  of  open  sets  is  open. 
O  is  such  a  union,  and  is  therefore  open. 

Q)  Let  C  be  an  arbitrary  closed  set.  We  need  to  show  that  it  is  also  hypersafety.  Our 
strategy  is  to  identify,  for  any  trace  property  T  not  in  C,  a  bad  thing  for  T.  If 
such  a  bad  thing  exists  for  all  T,  then  C  is  by  definition  hypersafety. 
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Since  C  is  closed,  it  is  by  definition  the  complement  of  an  open  set.  By  Proposi¬ 
tion  3,  we  can  therefore  write  C  as  follows: 

C=ytMl;  (D.2) 

i 


where  each  Mj  is  an  observation. 

Let  T  be  an  arbitrary  trace  property  such  that  T  (f  C,  or  equivalently,  such  that 
T  £  C.  Then  T  must  be  in  at  least  one  of  the  infinite  unions  in  equation  D.2. 
Thus,  there  must  exist  an  i  such  that 

T  e  T  Mi  and  Mt  =  {U  £  Prop  |  Mj  <  U},  (D.3) 

where  the  equality  follows  from  the  definition  of  ]. 

We  construct  the  bad  thing  M  for  T  by  defining: 

M  = 

We  have  that  M  <  T,  because  of  equation  D.3. 

To  show  that  M  is  a  bad  thing  for  T,  consider  any  T'  >  M.  By  the  definition  of 
M,  T'  >  Mi.  By  equation  D.3,  it  follows  that  T' ,  like  T,  is  a  member  of  |  Mj. 
By  equation  D.2,  T'  £  C.  Therefore,  T'  <j  C. 

We  have  now  shown  that  for  any  T  (j  C.  there  exists  an  M  <  T,  such  that  for  all 
T'  >  M,  T'  (fi  C.  Thus  C  is  hypersafety,  by  definition.  □ 

Proposition  5.  LHP  =  T>. 

Proof.  By  mutual  containment. 

(C)  Let  L  be  an  arbitrary  liveness  hyperproperty.  We  need  to  show  that  L  is  dense. 
By  the  definition  of  dense,  we  must  therefore  show  that  L  intersects  every  non¬ 
empty  open  set.  So  let  O  be  an  arbitrary  non-empty  open  set.  We  need  to  show 
that  L  n  O  is  non-empty.  By  Proposition  3  and  the  definition  of  open,  we  can 
write  O  as  (J.  ]  M, .  Consider  an  arbitrary  Mj.  Since  L  is  hyperliveness,  there 
exists  a  T  >  Mi  such  that  T  £  L.  Further,  by  the  definition  of  f,  we  have  that 
T  £  O.  Therefore,  T  £  L  n  O.  and  it  follows  that  L  is  dense,  by  definition. 

Q)  Let  D  be  an  arbitrary  dense  set.  To  show  that  D  is  hyperliveness,  we  must  show 
that  any  observation  T  can  be  extended  to  a  trace  property  T'  contained  in  D — 
that  is,  (VT  £  Obs  :  (3  V  £  Prop  :  T  <  T'  A  V  £  D)).  So  let  T  be  an 
arbitrary  observation.  Let  Ot  be  the  completion  of  T: 

oT  =  T  T 

=  {T'  £  Prop  I  T  <  T'}  (D.4) 

Ot  is  an  element  of  Osb ,  the  subbase  of  our  topology,  by  definition.  Thus, 
by  the  definition  of  a  subbase,  Ot  is  an  open  set.  By  the  definition  of  a  dense 
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set  (which  is  that  a  dense  set  intersects  every  open  set),  we  therefore  have  that 
Ot  0  I)  f  0.  Let  T'  be  any  element  in  the  set  Ot  D  D.  By  equation  D.4,  we 
have  T  <T' . 

We  have  now  shown  that,  for  an  arbitrary  observation  T,  there  exists  a  trace 
property  T'  such  that  T  <  T'  and  T'  £  D.  Therefore,  D  is  hyperliveness,  by 
definition.  □ 

Theorem  4.  O  =  V0l{O). 

Proof.  By  mutual  containment. 

(C)  Suppose  O  £  O.  By  the  definitions  of  a  base  and  of  CD,  we  can  write  O 
as  Ur  T  where  each  Mj  is  an  element  of  Obs.39  Now  we  calculate: 

UTW 

=  (  definition  of  | ) 

U ?{T  |  T  >  Mi} 

=  (  definition  of  <  ) 

Ur iT  I  (^*  mij  €  Mi  :  (3t  e  T  :  rriij  <  t))} 

=  (  definition  of  | ) 

U 7{T  I  (v* e  Mi  : r m13nr/  0)} 

=  (  definition  of  (•)  ) 

{y*  rmj  &  Mi  :  TG<Tm0))} 

=  (  definition  of  n  ) 

u,xn;<:"h,) 

Since  "f  rrii  j  £  Ob  by  definition,  and  Ob  C  O  by  the  definition  of  base,  we  have 
that  (|  rriij)  €  TJ O).  Thus,  by  the  definition  of  subbase,  1J°°  f)j(T  mij)  € 
Therefore,  by  the  calculation  above,  we  can  conclude  O  £  2J l(0). 

(3)  Suppose  O  £  'IT rfO).  By  the  definition  of  subbase  and  U / ,  we  can  write 
O  as  Ur  WjiOij),  where  each  Otj  is  an  element  of  O.  Now  we  calculate: 

ura*(o«) 

=  (  definition  of  (•)  ) 

U?n*{T\TnOij?9} 


Since  0.i?-  is  open  in  the  base  topology  O,  it  can  be  rewritten  a  union  of  base 

,9We  decorate  quantifiers  with  oo  and  *  to  denote  an  infinite  and  finite  range,  respectively. 
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open  sets  f  Ujk,  where  each  tijk  is  a  finite  trace: 


°ij  =  IJ  T Ujk- 

k 

We  continue  calculating: 

(  rewriting  Oij  ) 

urn;{riTn(urt*«fc)^0} 

(  set  theory  ) 

UT{r|(Vj  :  :  rnti«fc^0))} 

(  definition  of  <  ) 

UT{r|(Vj  :  :  {tijk}<T))} 

(  set  theory;  let  k!  be  the  k  guaranteed  to  exist  for  i  and  j  ) 

UT{T\  U )tijk.<T} 

( let  Mi  =  U*  tijk-  ) 

U ?{?  \  Mi  <T} 

(  definition  of  "f ) 

UTW 

Finally,  since  Mi  is  a  finite  set  of  finite  traces,  it  is  an  element  of  Obs.  So  by 
definition,  f  Mt  g  Osb  .  Thus  by  the  definition  of  base,  U'^°  f  Mi  g  O. 
Therefore,  by  the  calculation  above,  we  can  conclude  O  £  O.  □ 

Proposition  6.  SHP  =  Clc{{[S]  \  S  g  SP}). 

Proof.  Let  S  be  an  arbitrary  safety  hyperproperty.  By  Proposition  4,  S  is  a  closed  set 
in  topology  O.  By  Theorem  4,  S  is  thus  also  a  closed  set  in  topology  *23^(0).  By  the 
definition  of  closed,  S  is  the  complement  of  an  open  set  in  topology  23  /_  ( O ) .  By  the 
definition  of  a  base,  we  can  thus  write  S  as  unions  of  intersections  of  base  elements. 
Letting  ~  denote  set  complement,  we  calculate: 

S 

=  (  definition  of  base  ) 

uraw 
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=  (  definition  of  (•)  ) 

Ilf  C\*j{T  |  TnOij  ±  0} 

=  (  double  negation  ) 

=  (  set  theory  ) 

-nru;{rirnoiJ.  =  0} 

=  (  set  theory  ) 

-nru^iTc 

=  (  definition  of  [■]  ) 

-nr  lj;  m 

Removing  a  complement  from  each  side  of  the  above  equation,  we  obtain 

OO  * 

s  =  nura 

*  3 

Since  each  0,,  is  open  in  topology  O,  we  have  that  ().,  j  is  closed  in  O.  By  the  fact  that 
closed  sets  in  O  correspond  to  safety  properties  [4],  OtJ  is  a  safety  property.  Therefore, 
S  is  the  infinite  intersection  of  finite  unions  of  safety  properties,  and  by  definition  of 
Clc  must  be  an  element  of  Clc({  [S}  \  S  £  SP}). 

Similarly,  given  an  arbitrary  element  of  Clc({\S\  \  S  £  SP}),  the  same  reason¬ 
ing  used  above  establishes  that  it  is  also  an  element  of  SHP.  Therefore,  by  mutual 
containment,  the  two  sets  are  equal.  □ 

Theorem5.  (VP  £  HP  :  (3S  €  SHP,L  e  LHP  :  P  =  S(~lL)). 

Proof.  This  theorem  can  be  easily  proved  by  adapting  either  the  logical  [54]  or  topo¬ 
logical  [4]  proof  of  the  intersection  theorem  for  trace  properties.  The  domains  involved 
are  merely  upgraded  to  include  an  additional  level  of  sets.  Here  we  take  the  former 
approach  and  rehearse  the  logical  proof. 

Our  strategy  is  as  follows.  Given  hyperproperty  P ,  we  construct  safety  hyperpro¬ 
perty  S  that  contains  P  as  a  subset.  We  also  construct  liveness  hyperproperty  L  that 
contains  P.  The  intersection  of  S  and  L  then  necessarily  contains  P,  and  we  shall  show 
that  the  intersection  is,  in  fact,  exactly  P. 

To  construct  S,  we  define  the  safety  hyperproperty  Safe(P),  which  stipulates  that 
the  hyperliveness  of  P  is  never  violated.  A  bad  thing  for  this  safety  hyperproperty 
is  any  set  of  traces  that  cannot  be  extended  to  satisfy  P.  So  we  require  that  Safe(P) 
contains  only  sets  T  of  traces  such  that  any  observation  of  T  can  be  extended  to  satisfy 
P.  Formally, 

Safe{P)  =  {T  £  Prop  (VMe  Obs  :  M  <T 

=>  (3  T'  £  Prop  :  M  <  T’  A  T'  £  P))}. 
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It  is  straightforward  to  establish  that  Safe(P)  is  hypersafety:  Any  set  T  not  contained  in 
Safe(P)  must  satisfy  the  negation  of  the  predicate  in  the  above  definition  of  Safe(P) — 
that  is,  (3  M  G  Obs  :  M  <  T  A  (VT'  G  Prop  :  M  <  V  =>  T  P)).  If  no 
extension  of  M  can  be  in  P,  then  no  extension  T'  of  M  can  be  in  Safe(P)  because  the 
hyperliveness  of  P  would  be  violated  in  T'  at  observation  M.  So 

(VT'  G  Prop  :  M  <  T'  =>  T'  (f  P) 

=►  (VT'  G  Prop  :  M  <T’  =►  T  Safe{P)).  (D.5) 

Thus,  by  monotonicity,  (3  M  G  Obs  :  M  <T  A  (VT'  G  Prop  :  M  <  T'  ==> 
T'  Safe(P))).  Therefore  Safe(P)  is  hypersafety. 

Similarly,  to  construct  L,  we  define  the  liveness  hyperproperty  Live{P),  which 
stipulates  that  it  is  always  possible  either  to  satisfy  P  or  to  become  impossible,  due 
to  some  bad  thing,  to  satisfy  P.  In  the  latter  case,  a  safety  hyperproperty  has  been 
violated — namely,  Safe(P).  Formally, 

Live(P)  =  PU  Safe(P), 

where  H  denotes  the  complement  of  hyperproperty  H  with  respect  to  Prop.  To  show 
that  Live(P)  is  hyperliveness,  consider  any  observation  T.  Suppose  that  T  can  be 
extended  to  some  trace  property  T'  such  that  T'  G  P.  Then  T'  is  also  in  Live(P),  so 
Live(P)  is  hyperliveness  for  T.  On  the  other  hand,  if  T  cannot  be  extended  to  satisfy  P , 
then  T  is  a  bad  thing  for  Safe(P) — that  is,  (V  T'  G  Prop  :  T  <T'  =>  T'  ^  P ).  Let 
T'  be  an  arbitrary  extension  of  T.  By  the  same  reasoning  as  equation  (D.5),  T'  is  not 
in  Safe{P).  Therefore  T'  must  be  in  Safe(P).  Thus,  Live(P)  is  again  hyperliveness 
for  T.  We  conclude  that  Live(P)  is  hyperliveness. 

Next,  note  thatP  C  Safe(P),  because  any  element  T  of  P  satisfies  the  definition  of 
Safe  (P) .  In  particular,  for  any  M  <  T,  there  is  a  T'  >  M  such  that  T'  G  P — namely, 
V  =  T.  Thus,  Safe  (P)  =  P  U  Safe  (P) . 

Finally,  let  S  =  Safe  (P)  and  L  =  Live  ( P ) ,  and  we  prove  the  theorem  by  simple 
set  manipulation: 


SOL  =  Safe{P)  IT  Live(P) 

=  (P  U  Safe{P))  O  (P  U  Safe(P)) 

=  P  O  (Safe(P)  U  Safe(P)) 

=  P  n  Prop 

=  P  □ 
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